doc/userguide: document that lua dns rules need hooks

And remove the old "keywords" that a lua Rule can register with for
DNS.

diff --git a/doc/userguide/lua/libs/dns.rst b/doc/userguide/lua/libs/dns.rst
index 520697c4d988b2a44fb8d871cdbf390c724e4ff9..ef01907643c920c6112ec1a97542576a0572f436 100644 (file)
--- a/doc/userguide/lua/libs/dns.rst
+++ b/doc/userguide/lua/libs/dns.rst
@@ -1,6 +1,8 @@
 DNS
 ---
 
+.. role:: example-rule-emphasis
+
 DNS transaction details are exposed to Lua scripts with the
 ``suricata.dns`` library, for example::
 
@@ -23,12 +25,18 @@ If you are going to use the script for rule matching, choose one of
 the available DNS buffers listed in :ref:`lua-detection` and follow
 the pattern:
 
-::
+For use in rule matching, the rule must **hook** into a DNS
+transaction state. Available states are ``request_complete`` and
+``response_complete``.  For example:
+
+.. container:: example-rule
+
+  alert dns::example-rule-emphasis:`request_complete` any any -> any any (...
+
+Then to initialize the script::
 
   function init (args)
-     local needs = {}
-     needs["dns.rrname"] = tostring(true)
-     return needs
+     return {}
   end
 
 Transaction

diff --git a/doc/userguide/rules/lua-detection.rst b/doc/userguide/rules/lua-detection.rst
index d47b9e85648a9d9185fbf4cf7836341b95005df5..e70d1f07c35262952bdb224eb17b18b7eae5f6a3 100644 (file)
--- a/doc/userguide/rules/lua-detection.rst
+++ b/doc/userguide/rules/lua-detection.rst
@@ -35,9 +35,6 @@ inspection. Currently the following are available:
 * buffer -- the current sticky buffer
 * stream
 * dnp3
-* dns.request
-* dns.response
-* dns.rrname
 * ssh
 * smtp
 * tls