8 Feb
2014
8 Feb
'14
12:16 p.m.
On Sat, Feb 08, 2014 at 12:34:45AM -0800, Jonathan Lassoff <jof@thejof.com> wrote a message of 88 lines which said:
This is going to be tricky to do, as DNS packets don't necessarily contain entire query values or FQDNs as complete strings due to packet label compression
Apprently, the OP wanted to match the *question* in a *query* and these are never compressed (they could, in theory, but are not).
You can use those u32 module matches to find some known-bad packets if they're sufficiently unique, but it simply lacks enough logic to fully parse DNS queries.
u32's language is not Turing-complete but It is sufficient in the case presented here.