summaryrefslogtreecommitdiffstats
path: root/doc/userguide/rules/dns-keywords.rst
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-19 17:39:49 +0000
commita0aa2307322cd47bbf416810ac0292925e03be87 (patch)
tree37076262a026c4b48c8a0e84f44ff9187556ca35 /doc/userguide/rules/dns-keywords.rst
parentInitial commit. (diff)
downloadsuricata-a0aa2307322cd47bbf416810ac0292925e03be87.tar.xz
suricata-a0aa2307322cd47bbf416810ac0292925e03be87.zip
Adding upstream version 1:7.0.3.upstream/1%7.0.3
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--doc/userguide/rules/dns-keywords.rst74
1 files changed, 74 insertions, 0 deletions
diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst
new file mode 100644
index 0000000..e62a25d
--- /dev/null
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -0,0 +1,74 @@
+DNS Keywords
+============
+
+There are some more content modifiers (If you are unfamiliar with
+content modifiers, please visit the page :doc:`payload-keywords` These
+ones make sure the signature checks a specific part of the
+network-traffic.
+
+dns.opcode
+----------
+
+This keyword matches on the **opcode** found in the DNS header flags.
+
+Syntax
+~~~~~~
+
+::
+
+ dns.opcode:[!]<number>
+
+Examples
+~~~~~~~~
+
+Match on DNS requests and responses with **opcode** 4::
+
+ dns.opcode:4;
+
+Match on DNS requests where the **opcode** is NOT 0::
+
+ dns.opcode:!0;
+
+dns.query
+---------
+
+With **dns.query** the DNS request queries are inspected. The dns.query
+keyword works a bit different from the normal content modifiers. When
+used in a rule all contents following it are affected by it. Example:
+
+ alert dns any any -> any any (msg:"Test dns.query option";
+ dns.query; content:"google"; nocase; sid:1;)
+
+.. image:: dns-keywords/dns_query.png
+
+The **dns.query** keyword affects all following contents, until pkt_data
+is used or it reaches the end of the rule.
+
+.. note:: **dns.query** is equivalent to the older **dns_query**.
+
+Normalized Buffer
+~~~~~~~~~~~~~~~~~
+
+Buffer contains literal domain name
+
+- <length> values (as seen in a raw DNS request)
+ are literal '.' characters
+- no leading <length> value
+- No terminating NULL (0x00) byte (use a negated relative ``isdataat``
+ to match the end)
+
+Example DNS request for "mail.google.com" (for readability, hex
+values are encoded between pipes):
+
+DNS query on the wire (snippet)::
+
+ |04|mail|06|google|03|com|00|
+
+``dns.query`` buffer::
+
+ mail.google.com
+
+Multiple Buffer Matching
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+``dns.query`` supports multiple buffer matching, see :doc:`multi-buffer-matching`. \ No newline at end of file