dns: allow dns messages with invalid opcodes
Current a DNS message won't be detected as DNS if the opcode is considered invalid (greater than 7). We should probably accept any opcode, and then use rules to alert on invalid opcodes.
Research: Will this detect too much non DNS as DNS?
Updated by Jason Taylor 2 months ago
just adding a sample udp dns query with opcode of 8 set. With the change discussed in this ticket, a signature such as 'alert dns any any -> any any (msg:"dns opcode 8"; dns.opcode:8; sid:123; rev:1;)' run against the attached pcap would alert.