The vulnerability is in a DCERPC service. The rules must handle all of the differences and neuances of the underlying protocols to limit detection to just the field in question. The hard part is making sure the detection only detects attacks, not benign traffic. The code generator handles all of these permutations for me, allowing me to focus on the specifics of the attack, not the protocol. The end goal of all the rules is to detect attack traffic, while not alerting on benign traffic, in fact its pretty easy.”]
Source: https://blog.talosintelligence.com/2008/10/why-114.html

