There is a critical 0-Day exploit for Exchange already being exploited, which is pretty much the same as the "ProxyShell" vulnerability in March.
How can I check if the mitigation is already working with Snort or IPS rules?
There is also written (see "Temporary containment measures") how to create a rewrite rule to address the vulnerability, until a patch becomes available.
You should monitor closely your Exchange with a XDR solution for compromise. Currently there is too much fog around this attacks.
TrendMicro has already their signatures adjusted since 2 days, I could imagine Snort has too, but where to look for?
You can search the IPS database in the webadmin. All signatures are there.
The question is, will IPS pick up the attack or not.
as Sophos X Ops team is also referring to the article and mitigation I posted it seems the rewrite rule should be the 1st line of defense, and everybody should have this done.
That does not answer my question regarding Snort. How could I check those?
I would start to monitor the exchange with XDR tools for IoCs and unusual activities.
You can see all signatures here: