blob: e62a25d40bedd7ef2150b04224c8b643ae9182ac (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
|
DNS Keywords
============
There are some more content modifiers (If you are unfamiliar with
content modifiers, please visit the page :doc:`payload-keywords` These
ones make sure the signature checks a specific part of the
network-traffic.
dns.opcode
----------
This keyword matches on the **opcode** found in the DNS header flags.
Syntax
~~~~~~
::
dns.opcode:[!]<number>
Examples
~~~~~~~~
Match on DNS requests and responses with **opcode** 4::
dns.opcode:4;
Match on DNS requests where the **opcode** is NOT 0::
dns.opcode:!0;
dns.query
---------
With **dns.query** the DNS request queries are inspected. The dns.query
keyword works a bit different from the normal content modifiers. When
used in a rule all contents following it are affected by it. Example:
alert dns any any -> any any (msg:"Test dns.query option";
dns.query; content:"google"; nocase; sid:1;)
.. image:: dns-keywords/dns_query.png
The **dns.query** keyword affects all following contents, until pkt_data
is used or it reaches the end of the rule.
.. note:: **dns.query** is equivalent to the older **dns_query**.
Normalized Buffer
~~~~~~~~~~~~~~~~~
Buffer contains literal domain name
- <length> values (as seen in a raw DNS request)
are literal '.' characters
- no leading <length> value
- No terminating NULL (0x00) byte (use a negated relative ``isdataat``
to match the end)
Example DNS request for "mail.google.com" (for readability, hex
values are encoded between pipes):
DNS query on the wire (snippet)::
|04|mail|06|google|03|com|00|
``dns.query`` buffer::
mail.google.com
Multiple Buffer Matching
~~~~~~~~~~~~~~~~~~~~~~~~
``dns.query`` supports multiple buffer matching, see :doc:`multi-buffer-matching`.
|
