Actually let's first discuss what are the data sources you have as the rule you are trying to build will need information from IPS device.
Assuming that your IPS should be capable of detecting the attack.
Otherwise you will need another method involving multiple sources.
Let me know so we could discuss it.
Thanks for responding.
Please consider that we don't have IPS as one of the data sources. What I would like to do is write a generic correlation rule for traffic to Linux systems only?
Is there a way we can perform this?
As of now you can detect either running a VA scan on all Unix based machines and finding out if those machines has the following vulnerabilities ( CVE-2014-6271,CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186 and CVE-2014-7187) or as suggested by Alexander using IPS and detecting the same set of vulnerabilities (CVE-2014-6271,CVE-2014-6277,CVE-2014-6278,CVE-2014-7169,CVE-2014-7186 and CVE-2014-7187).