From d3e2cc9926a0a1149495c418f531ecbae9ef4c8c Mon Sep 17 00:00:00 2001
From: Jason Ish <jason.ish@oisf.net>
Date: Mon, 16 Sep 2019 14:46:15 -0600
Subject: [PATCH] doc: document dns.opcode keyword

---
 doc/userguide/rules/dns-keywords.rst | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/doc/userguide/rules/dns-keywords.rst b/doc/userguide/rules/dns-keywords.rst
index 675d8ea5e1..1a1593e0e9 100644
--- a/doc/userguide/rules/dns-keywords.rst
+++ b/doc/userguide/rules/dns-keywords.rst
@@ -6,6 +6,29 @@ content modifiers, please visit the page :doc:`payload-keywords` These
 ones make sure the signature checks a specific part of the
 network-traffic.
 
+dns.opcode
+----------
+
+This keyword matches on the **opcode** found in the DNS header flags.
+
+Syntax
+~~~~~~
+
+::
+
+   dns.opcode:[!]<number>
+
+Examples
+~~~~~~~~
+
+Match on DNS requests and responses with **opcode** 4::
+
+  dns.opcode:4;
+
+Match on DNS requests whre the **opcode** is NOT 0::
+
+  dns.opcode:!0;
+
 dns.query
 ---------
 
-- 
2.47.2