From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 16 Sep 2019 20:46:15 +0000 (-0600)
Subject: doc: document dns.opcode keyword
X-Git-Tag: suricata-5.0.0-rc1~40
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3e2cc9926a0a1149495c418f531ecbae9ef4c8c;p=thirdparty%2Fsuricata.git

doc: document dns.opcode keyword
---

diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst
index 675d8ea5e1..1a1593e0e9 100644
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -6,6 +6,29 @@ content modifiers, please visit the page :doc:`payload-keywords` These
 ones make sure the signature checks a specific part of the
 network-traffic.
 
+dns.opcode
+----------
+
+This keyword matches on the **opcode** found in the DNS header flags.
+
+Syntax
+~~~~~~
+
+::
+
+   dns.opcode:[!]<number>
+
+Examples
+~~~~~~~~
+
+Match on DNS requests and responses with **opcode** 4::
+
+  dns.opcode:4;
+
+Match on DNS requests whre the **opcode** is NOT 0::
+
+  dns.opcode:!0;
+
 dns.query
 ---------