doc: document dns.opcode keyword

author Jason Ish <jason.ish@oisf.net>

Mon, 16 Sep 2019 20:46:15 +0000 (14:46 -0600)

committer Jason Ish <jason.ish@oisf.net>

Mon, 16 Sep 2019 20:48:23 +0000 (14:48 -0600)
author Jason Ish <jason.ish@oisf.net>
Mon, 16 Sep 2019 20:46:15 +0000 (14:46 -0600)
committer Jason Ish <jason.ish@oisf.net>
Mon, 16 Sep 2019 20:48:23 +0000 (14:48 -0600)
diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst

index 675d8ea5e13bdba72f3e53c8e5a5c489cc206b88..1a1593e0e979cdde4181bf7ab892556113983053 100644 (file)
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -6,6 +6,29 @@ content modifiers, please visit the page :doc:`payload-keywords` These
  ones make sure the signature checks a specific part of the
  network-traffic.
  
+dns.opcode
+----------
+
+This keyword matches on the **opcode** found in the DNS header flags.
+
+Syntax
+~~~~~~
+
+::
+
+   dns.opcode:[!]<number>
+
+Examples
+~~~~~~~~
+
+Match on DNS requests and responses with **opcode** 4::
+
+  dns.opcode:4;
+
+Match on DNS requests whre the **opcode** is NOT 0::
+
+  dns.opcode:!0;
+
  dns.query
  ---------
author	Jason Ish <jason.ish@oisf.net>
	Mon, 16 Sep 2019 20:46:15 +0000 (14:46 -0600)
committer	Jason Ish <jason.ish@oisf.net>
	Mon, 16 Sep 2019 20:48:23 +0000 (14:48 -0600)