-alert dns any any -> any any (dns.query.name; content:"suricata.io"; sid:1; rev:1;)
+alert dns any any -> any any (dns.queries.rrname; content:"suricata.io"; sid:1; rev:1;)
alert dns any any -> any any (dns.authorities.rrname; content:"io"; sid:2; rev:1;)
alert dns any any -> any any (dns.additionals.rrname; content:"a0.nic.io"; sid:3; rev:1;)
alert dns any any -> any any (dns.additionals.rrname; content:"c0.nic.io"; sid:4; rev:1;)
-Test the `dns.answer.name` sticky buffer.
+Test the `dns.answers.rrname` sticky buffer.
The PCAP here was a request created with Scapy to include answers in
the request. However the response is from a real DNS server with the
# Should alert in both directions as no flow is provided.
-alert dns any any -> any any (dns.answer.name; content:"oisf"; sid:1; rev:1;)
+alert dns any any -> any any (dns.answers.rrname; content:"oisf"; sid:1; rev:1;)
# Should only alert in the request direction.
-alert dns any any -> any any (dns.answer.name; content:"oisf"; flow:to_server; sid:2; rev:1;)
+alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_server; sid:2; rev:1;)
# Should only alert in the response direction.
-alert dns any any -> any any (dns.answer.name; content:"oisf"; flow:to_client; sid:3; rev:1;)
+alert dns any any -> any any (dns.answers.rrname; content:"oisf"; flow:to_client; sid:3; rev:1;)
-Test the `dns.query.name` sticky buffer.
+Test the `dns.queries.rrname` sticky buffer.
# Will alert in both directions as no direction is specified.
-alert dns any any -> any any (dns.query.name; content:"suricata"; sid:1; rev:1;)
+alert dns any any -> any any (dns.queries.rrname; content:"suricata"; sid:1; rev:1;)
# Only alert on requests.
-alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_server; sid:2; rev:1;)
+alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_server; sid:2; rev:1;)
# Only alert on responses.
-alert dns any any -> any any (dns.query.name; content:"suricata"; flow:to_client; sid:3; rev:1;)
+alert dns any any -> any any (dns.queries.rrname; content:"suricata"; flow:to_client; sid:3; rev:1;)
Query 2: oisf.net
Query 3: suricata.org
-We match those against a single rule with `dns.query.name` and inspecting
+We match those against a single rule with `dns.queries.rrname` and inspecting
content `suricata`, so the expectation is to have 4 alerts.
## Related issues
-alert dns any any -> any any (msg:"DNS suricata query.name"; dns.query.name; content:"suricata"; sid:1; rev:1;)
+alert dns any any -> any any (msg:"DNS suricata query.name"; dns.queries.rrname; content:"suricata"; sid:1; rev:1;)
Query 2: oisf.net
Query 3: suricata.org
-We match those against a single rule with `dns.query.name` and inspecting
+We match those against a single rule with `dns.queries.rrname` and inspecting
content `suricata`, so the expectation is to have 4 alerts.
## Related issues
-alert dns any any -> any any (msg:"DNS suricata query.name"; dns.query.name; content:"suricata"; sid:1; rev:1;)
+alert dns any any -> any any (msg:"DNS suricata query.name"; dns.queries.rrname; content:"suricata"; sid:1; rev:1;)
alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
- dns.query.name; content: "www.suricata-ids.org"; \
+ dns.queries.rrname; content: "www.suricata-ids.org"; \
lua:rule.lua; sid:1; rev:1;)
alert dns any any -> any any (msg:"TEST DNS LUA dns.rrname"; \
- dns.query.name; content: "www.suricata-ids.org"; \
+ dns.queries.rrname; content: "www.suricata-ids.org"; \
lua:test-hashing.lua; sid:1; rev:1;)