doc/userguide: document dns.response

author Nathan Scrivens <nathan.scrivens21@gmail.com>

Tue, 20 Aug 2024 02:45:02 +0000 (22:45 -0400)

committer Victor Julien <victor@inliniac.net>

Wed, 5 Mar 2025 14:59:58 +0000 (15:59 +0100)
author Nathan Scrivens <nathan.scrivens21@gmail.com>
Tue, 20 Aug 2024 02:45:02 +0000 (22:45 -0400)
committer Victor Julien <victor@inliniac.net>
Wed, 5 Mar 2025 14:59:58 +0000 (15:59 +0100)
diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst

index f729250f706e816d48c6db57dcf7f87eadc0883e..3f0efe4c8fb6c5a19b1e322073ad502fc0429475 100644 (file)
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -176,3 +176,24 @@ resource name, for example "www.suricata.io".
  ``dns.query.name`` supports :doc:`multi-buffer-matching`.
  
  ``dns.query.name`` was introduced in Suricata 8.0.0.
+
+dns.response
+------------
+
+``dns.response`` is a sticky buffer that is used to look at all name and 
+rdata fields of DNS response (answer) resource records. It supports 
+inspecting all DNS response sections. Example::
+
+  alert dns any any -> any any (msg:"Test dns.response option"; dns.response; content:"google"; nocase; sid:1;)
+
+rdata field matching supports a subset of types that contain 
+domain name structured data, for example: "www.suricata.io". 
+The list of types inspected is: 
+CNAME, PTR, MX, NS, SOA (mname data: primary name server).  
+
+The buffer being matched on contains the complete re-assembled
+resource name, for example "www.suricata.io".
+
+``dns.response`` supports :doc:`multi-buffer-matching`.
+
+``dns.response`` was introduced in Suricata 8.0.0.
author	Nathan Scrivens <nathan.scrivens21@gmail.com>
	Tue, 20 Aug 2024 02:45:02 +0000 (22:45 -0400)
committer	Victor Julien <victor@inliniac.net>
	Wed, 5 Mar 2025 14:59:58 +0000 (15:59 +0100)