On Sat, Feb 08, 2014 at 12:34:45AM -0800, Jonathan Lassoff <j...@thejof.com> wrote a message of 88 lines which said:
> This is going to be tricky to do, as DNS packets don't necessarily > contain entire query values or FQDNs as complete strings due to > packet label compression Apprently, the OP wanted to match the *question* in a *query* and these are never compressed (they could, in theory, but are not). > You can use those u32 module matches to find some known-bad packets > if they're sufficiently unique, but it simply lacks enough logic to > fully parse DNS queries. u32's language is not Turing-complete but It is sufficient in the case presented here.