Feature #5446
closed
allow ranges in dns.opcode value
Added by Jason Taylor over 2 years ago.
Updated 9 months ago.
Description
It would be nice to be able to write a single rule looking for a range of opcodes or not looking (excluding) a range of opcodes.
examples:
alert dns any any -> any any (msg:"dns unassigned opcodes in dns query"; dns.opcode:7-15; sid:123; rev:1;)
alert dns any any -> any any (msg:"dns opcode other than assigned opcode in dns query"; dns.opcode:!1-6; sid:123; rev:1;)
@Philippe Antoine could this somehow be implemented as part of the general detect int work?
- Assignee changed from OISF Dev to Philippe Antoine
- Target version changed from TBD to 8.0.0-beta1
- Status changed from New to In Review
- Related to Feature #6646: detect: integer: support negated ranges added
- Related to Task #6644: tracking: detect: integer as first-class support added
- Related to Feature #6723: detect: review existing keywords for usage of enumerations added
- Status changed from In Review to Closed
Also available in: Atom
PDF