|
|
|
|
@ -176,3 +176,24 @@ resource name, for example "www.suricata.io".
|
|
|
|
|
``dns.query.name`` supports :doc:`multi-buffer-matching`.
|
|
|
|
|
|
|
|
|
|
``dns.query.name`` was introduced in Suricata 8.0.0.
|
|
|
|
|
|
|
|
|
|
dns.response
|
|
|
|
|
------------
|
|
|
|
|
|
|
|
|
|
``dns.response`` is a sticky buffer that is used to look at all name and
|
|
|
|
|
rdata fields of DNS response (answer) resource records. It supports
|
|
|
|
|
inspecting all DNS response sections. Example::
|
|
|
|
|
|
|
|
|
|
alert dns any any -> any any (msg:"Test dns.response option"; dns.response; content:"google"; nocase; sid:1;)
|
|
|
|
|
|
|
|
|
|
rdata field matching supports a subset of types that contain
|
|
|
|
|
domain name structured data, for example: "www.suricata.io".
|
|
|
|
|
The list of types inspected is:
|
|
|
|
|
CNAME, PTR, MX, NS, SOA (mname data: primary name server).
|
|
|
|
|
|
|
|
|
|
The buffer being matched on contains the complete re-assembled
|
|
|
|
|
resource name, for example "www.suricata.io".
|
|
|
|
|
|
|
|
|
|
``dns.response`` supports :doc:`multi-buffer-matching`.
|
|
|
|
|
|
|
|
|
|
``dns.response`` was introduced in Suricata 8.0.0.
|
|
|
|
|
|
Nathan Scrivens
11 months ago
committed by
Victor Julien