|
|
|
|
@ -6,22 +6,23 @@ content modifiers, please visit the page :doc:`payload-keywords` These
|
|
|
|
|
ones make sure the signature checks a specific part of the
|
|
|
|
|
network-traffic.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
dns_query
|
|
|
|
|
dns.query
|
|
|
|
|
---------
|
|
|
|
|
|
|
|
|
|
With **dns_query** the DNS request queries are inspected. The dns_query
|
|
|
|
|
With **dns.query** the DNS request queries are inspected. The dns.query
|
|
|
|
|
keyword works a bit different from the normal content modifiers. When
|
|
|
|
|
used in a rule all contents following it are affected by it. Example:
|
|
|
|
|
|
|
|
|
|
alert dns any any -> any any (msg:"Test dns_query option";
|
|
|
|
|
dns_query; content:"google"; nocase; sid:1;)
|
|
|
|
|
alert dns any any -> any any (msg:"Test dns.query option";
|
|
|
|
|
dns.query; content:"google"; nocase; sid:1;)
|
|
|
|
|
|
|
|
|
|
.. image:: dns-keywords/dns_query.png
|
|
|
|
|
|
|
|
|
|
The dns_query keyword affects all following contents, until pkt_data
|
|
|
|
|
The **dns.query** keyword affects all following contents, until pkt_data
|
|
|
|
|
is used or it reaches the end of the rule.
|
|
|
|
|
|
|
|
|
|
.. note:: **dns.query** is equivalent to the older **dns_query**.
|
|
|
|
|
|
|
|
|
|
Normalized Buffer
|
|
|
|
|
~~~~~~~~~~~~~~~~~
|
|
|
|
|
|
|
|
|
|
@ -40,6 +41,6 @@ DNS query on the wire (snippet)::
|
|
|
|
|
|
|
|
|
|
|04|mail|06|google|03|com|00|
|
|
|
|
|
|
|
|
|
|
``dns_query`` buffer::
|
|
|
|
|
``dns.query`` buffer::
|
|
|
|
|
|
|
|
|
|
mail.google.com
|
|
|
|
|
|
Jason Ish
6 years ago