Linuts,
A few members of our Intel and content teams have been chatting about this offline. Bottom line is that we don't have a rule or alert specifically designed to detect this vulnerability. As a general rule we don't develop content for specific vulnerabilities like this, especially when they are not being widely exploited. And in Ghost's case its not a high risk area, its just gotten a lot of media attention.
Additionally, we haven't build specific content because of the fluidity in which the exploits exist and how often they morph. To be effective you’d have to do it for every service that takes an input that gets passed to that function. Issue there being that everyone learns this function in the Stevens book day one and just keep using them for everything.
If you were going to try to use detection to deal with Ghost the general consensus with the team was to look for generic detection via funky hosts in the alias.host key. That said, we would recommended focusing on getting patches from the impacted vendors or trying to solve this via your IDS/IPS if possible.
