dns: rename dns.response keyword to dns.response.rrname

This is a better name as the keyword is looking at all rrname type
fields in the response.

diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst
index 3f0efe4c8fb6c5a19b1e322073ad502fc0429475..9a88475d6729e31e3e33f7303415250acacf33ec 100644 (file)
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -177,23 +177,30 @@ resource name, for example "www.suricata.io".
 
 ``dns.query.name`` was introduced in Suricata 8.0.0.
 
-dns.response
-------------
+dns.response.rrname
+-------------------
 
-``dns.response`` is a sticky buffer that is used to look at all name and 
-rdata fields of DNS response (answer) resource records. It supports 
-inspecting all DNS response sections. Example::
+``dns.response.rrname`` is a sticky buffer that is used to look at all name
+and rdata fields of DNS response (answer) resource records that are
+represented as a resource name (hostname). It supports inspecting all
+DNS response sections. Example::
 
-  alert dns any any -> any any (msg:"Test dns.response option"; dns.response; content:"google"; nocase; sid:1;)
+  alert dns any any -> any any (msg:"Test dns.response.rrname option"; \
+      dns.response.rrname; content:"google"; nocase; sid:1;)
 
-rdata field matching supports a subset of types that contain 
-domain name structured data, for example: "www.suricata.io". 
-The list of types inspected is: 
-CNAME, PTR, MX, NS, SOA (mname data: primary name server).  
+``rdata`` field matching supports a subset of types that contain
+domain name structured data, for example: "www.suricata.io".  The list
+of types inspected is:
+
+* CNAME
+* PTR
+* MX
+* NS
+* SOA (mname data: primary name server)
 
 The buffer being matched on contains the complete re-assembled
 resource name, for example "www.suricata.io".
 
-``dns.response`` supports :doc:`multi-buffer-matching`.
+``dns.response.rrname`` supports :doc:`multi-buffer-matching`.
 
-``dns.response`` was introduced in Suricata 8.0.0.
+``dns.response.rrname`` was introduced in Suricata 8.0.0.

diff --git a/src/detect-dns-response.c b/src/detect-dns-response.c
index ab544f89da253dcc40e64d9efa139548be3664e6..d15fb94280ced6c7b88b74d26b50b4d7a3a2b7b7 100644 (file)
--- a/src/detect-dns-response.c
+++ b/src/detect-dns-response.c
@@ -18,7 +18,7 @@
 /**
  * \file
  *
- * Detect keyword for DNS response: dns.response
+ * Detect keyword for DNS response: dns.response.rrname
  */
 
 #include "detect.h"
@@ -311,10 +311,10 @@ static int DetectDnsResponsePrefilterMpmRegister(DetectEngineCtx *de_ctx, SigGro
 
 void DetectDnsResponseRegister(void)
 {
-    static const char *keyword = "dns.response";
+    static const char *keyword = "dns.response.rrname";
     sigmatch_table[DETECT_DNS_RESPONSE].name = keyword;
     sigmatch_table[DETECT_DNS_RESPONSE].desc = "DNS response sticky buffer";
-    sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response";
+    sigmatch_table[DETECT_DNS_RESPONSE].url = "/rules/dns-keywords.html#dns-response-rrname";
     sigmatch_table[DETECT_DNS_RESPONSE].Setup = DetectSetup;
 #ifdef UNITTESTS
     sigmatch_table[DETECT_DNS_RESPONSE].RegisterTests = DetectDnsResponseRegisterTests;
@@ -328,7 +328,7 @@ void DetectDnsResponseRegister(void)
     DetectAppLayerMpmRegister(keyword, SIG_FLAG_TOCLIENT, 2, DetectDnsResponsePrefilterMpmRegister,
             NULL, ALPROTO_DNS, 1);
 
-    DetectBufferTypeSetDescriptionByName(keyword, "dns response");
+    DetectBufferTypeSetDescriptionByName(keyword, "dns response rrname");
     DetectBufferTypeSupportsMultiInstance(keyword);
 
     detect_buffer_id = DetectBufferTypeGetByName(keyword);
@@ -409,9 +409,10 @@ static int DetectDnsResponseTest01(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response query name match\"; "
-                                      "dns.response; content:\"google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response query name match\"; "
+            "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
 
     SigGroupBuild(de_ctx);
@@ -519,9 +520,10 @@ static int DetectDnsResponseTest02(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response answer name match\"; "
-                                      "dns.response; content:\"google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response answer name match\"; "
+            "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -680,9 +682,10 @@ static int DetectDnsResponseTest03(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response authority name match\"; "
-                                      "dns.response; content:\"google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response authority name match\"; "
+            "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -816,9 +819,10 @@ static int DetectDnsResponseTest04(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response additional name match\"; "
-                                      "dns.response; content:\"ns1.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response additional name match\"; "
+            "dns.response.rrname; content:\"ns1.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -1002,9 +1006,10 @@ static int DetectDnsResponseTest05(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response answer data match\"; "
-                                      "dns.response; content:\"mail.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response answer data match\"; "
+            "dns.response.rrname; content:\"mail.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -1143,9 +1148,10 @@ static int DetectDnsResponseTest06(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response 2nd answer data match\"; "
-                                      "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response 2nd answer data match\"; "
+            "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -1294,9 +1300,10 @@ static int DetectDnsResponseTest07(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response authority data match\"; "
-                                      "dns.response; content:\"ns1.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response authority data match\"; "
+            "dns.response.rrname; content:\"ns1.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -1493,9 +1500,10 @@ static int DetectDnsResponseTest08(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response additional data match\"; "
-                                      "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response additional data match\"; "
+            "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
     SigGroupBuild(de_ctx);
     DetectEngineThreadCtxInit(&tv, (void *)de_ctx, (void *)&det_ctx);
@@ -1593,9 +1601,10 @@ static int DetectDnsResponseTest09(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response query name match tcp\"; "
-                                      "dns.response; content:\"google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response query name match tcp\"; "
+            "dns.response.rrname; content:\"google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
 
     SigGroupBuild(de_ctx);
@@ -1776,13 +1785,15 @@ static int DetectDnsResponseTest10(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response multi tx answer match\"; "
-                                      "dns.response; content:\"mail.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response multi tx answer match\"; "
+            "dns.response.rrname; content:\"mail.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response multi tx additional match\"; "
-                                      "dns.response; content:\"ns2.google.com\"; nocase; sid:2;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response multi tx additional match\"; "
+            "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:2;)");
     FAIL_IF_NULL(s);
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns response multi tx additional match\"; "
@@ -2033,12 +2044,12 @@ static int DetectDnsResponseTest11(void)
 
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns response pcre match\"; "
-                                      "dns.response; content:\"google\"; nocase; "
+                                      "dns.response.rrname; content:\"google\"; nocase; "
                                       "pcre:\"/ns2\\.google\\.com$/i\"; sid:1;)");
     FAIL_IF_NULL(s);
     s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
                                       "(msg:\"Test dns response pcre match\"; "
-                                      "dns.response; content:\"google\"; nocase; "
+                                      "dns.response.rrname; content:\"google\"; nocase; "
                                       "pcre:\"/^\\.[a-z]{2,3}$/iR\"; sid:2;)");
     FAIL_IF_NULL(s);
 
@@ -2144,9 +2155,10 @@ static int DetectDnsResponseTest12(void)
     de_ctx->mpm_matcher = mpm_default_matcher;
     de_ctx->flags |= DE_QUIET;
 
-    s = DetectEngineAppendSig(de_ctx, "alert dns any any -> any any "
-                                      "(msg:\"Test dns response additional name match\"; "
-                                      "dns.response; content:\"ns2.google.com\"; nocase; sid:1;)");
+    s = DetectEngineAppendSig(de_ctx,
+            "alert dns any any -> any any "
+            "(msg:\"Test dns response additional name match\"; "
+            "dns.response.rrname; content:\"ns2.google.com\"; nocase; sid:1;)");
     FAIL_IF_NULL(s);
 
     SigGroupBuild(de_ctx);
@@ -2182,7 +2194,7 @@ static int DetectDnsResponseTest12(void)
 }
 
 /**
- * \test Verify transform applies to dns.response sticky buffer.
+ * \test Verify transform applies to dns.response.rrname sticky buffer.
  * Test using "to_uppercase". ns2.google.com response matching
  * 2nd additional section name field.
  */
@@ -2254,7 +2266,7 @@ static int DetectDnsResponseTest13(void)
     s = DetectEngineAppendSig(de_ctx,
             "alert dns any any -> any any "
             "(msg:\"Test dns response additional name match with transform\"; "
-            "dns.response; to_uppercase; content:\"NS2.GOOGLE.COM\"; sid:1;)");
+            "dns.response.rrname; to_uppercase; content:\"NS2.GOOGLE.COM\"; sid:1;)");
     FAIL_IF_NULL(s);
 
     SigGroupBuild(de_ctx);