DNS Keywords
DNS keywords are designed to match on various fields of a DNS request. The buffers are normalized to allow content matching by using the literal domain name.
dns.query
Sticky buffer to match on the content of a DNS request query.
Example:
alert tls any any -> any any (classtype:misc-attack; \
msg:"content matching in dns query field"; \
dns.query; content:"mail.example.com"; sid:1; rev:1;)
Note
The older dns_query
keyword is deprecated and should no longer be used.