From daed788d49f404400f6c0e48bb189b88fd94649d Mon Sep 17 00:00:00 2001 From: Jason Ish Date: Mon, 16 Sep 2019 14:39:42 -0600 Subject: [PATCH] doc: Replace dns_query with dns.query. --- doc/userguide/rules/dns-keywords.rst | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst index 8149cebda5..675d8ea5e1 100644 --- a/doc/userguide/rules/dns-keywords.rst +++ b/doc/userguide/rules/dns-keywords.rst @@ -6,22 +6,23 @@ content modifiers, please visit the page :doc:`payload-keywords` These ones make sure the signature checks a specific part of the network-traffic. - -dns_query +dns.query --------- -With **dns_query** the DNS request queries are inspected. The dns_query +With **dns.query** the DNS request queries are inspected. The dns.query keyword works a bit different from the normal content modifiers. When used in a rule all contents following it are affected by it. Example: - alert dns any any -> any any (msg:"Test dns_query option"; - dns_query; content:"google"; nocase; sid:1;) + alert dns any any -> any any (msg:"Test dns.query option"; + dns.query; content:"google"; nocase; sid:1;) .. image:: dns-keywords/dns_query.png -The dns_query keyword affects all following contents, until pkt_data +The **dns.query** keyword affects all following contents, until pkt_data is used or it reaches the end of the rule. +.. note:: **dns.query** is equivalent to the older **dns_query**. + Normalized Buffer ~~~~~~~~~~~~~~~~~ @@ -40,6 +41,6 @@ DNS query on the wire (snippet):: |04|mail|06|google|03|com|00| -``dns_query`` buffer:: +``dns.query`` buffer:: mail.google.com