Actions
Feature #5446
closedrules: allow ranges in dns.opcode value
Effort:
Difficulty:
Label:
Description
It would be nice to be able to write a single rule looking for a range of opcodes or not looking (excluding) a range of opcodes.
examples:
alert dns any any -> any any (msg:"dns unassigned opcodes in dns query"; dns.opcode:7-15; sid:123; rev:1;)
alert dns any any -> any any (msg:"dns opcode other than assigned opcode in dns query"; dns.opcode:!1-6; sid:123; rev:1;)
Updated by Victor Julien almost 3 years ago
@Philippe Antoine could this somehow be implemented as part of the general detect int work?
Updated by Philippe Antoine almost 2 years ago
- Assignee changed from OISF Dev to Philippe Antoine
Updated by Philippe Antoine almost 2 years ago
- Target version changed from TBD to 8.0.0-beta1
Updated by Philippe Antoine over 1 year ago
- Status changed from New to In Review
Updated by Philippe Antoine over 1 year ago
- Related to Feature #6646: detect: integer: support negated ranges added
Updated by Philippe Antoine over 1 year ago
- Related to Task #6644: tracking: detect: integer as first-class support added
Updated by Philippe Antoine over 1 year ago
- Related to Feature #6723: detect: review existing keywords for usage of enumerations added
Updated by Philippe Antoine over 1 year ago
- Status changed from In Review to Closed
Updated by Victor Julien about 1 month ago
- Subject changed from allow ranges in dns.opcode value to rules: allow ranges in dns.opcode value
Actions