src/Makefile.am

@@ -515,6 +515,7 @@ noinst_HEADERS = \
 	util-lua-hassh.h \
 	util-lua-http.h \
 	util-lua-ja3.h \
+	util-lua-packet.h \
 	util-lua-sandbox.h \
 	util-lua-smtp.h \
 	util-lua-ssh.h \
@@ -1063,6 +1064,7 @@ libsuricata_c_a_SOURCES = \
 	util-lua-hassh.c \
 	util-lua-http.c \
 	util-lua-ja3.c \
+	util-lua-packet.c \
 	util-lua-sandbox.c \
 	util-lua-smtp.c \
 	util-lua-ssh.c \

src/detect-app-layer-event.c

@@ -70,13 +70,13 @@ static int g_applayer_events_list_id = 0;
  */
 void DetectAppLayerEventRegister(void)
 {
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].name = "app-layer-event";
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].desc = "match on events generated by the App Layer Parsers and the protocol detection engine";
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Match =
-        DetectAppLayerEventPktMatch;
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
-    sigmatch_table[DETECT_AL_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
+    sigmatch_table[DETECT_APP_LAYER_EVENT].name = "app-layer-event";
+    sigmatch_table[DETECT_APP_LAYER_EVENT].desc =
+            "match on events generated by the App Layer Parsers and the protocol detection engine";
+    sigmatch_table[DETECT_APP_LAYER_EVENT].url = "/rules/app-layer.html#app-layer-event";
+    sigmatch_table[DETECT_APP_LAYER_EVENT].Match = DetectAppLayerEventPktMatch;
+    sigmatch_table[DETECT_APP_LAYER_EVENT].Setup = DetectAppLayerEventSetup;
+    sigmatch_table[DETECT_APP_LAYER_EVENT].Free = DetectAppLayerEventFree;
 
     DetectAppLayerInspectEngineRegister("app-layer-events", ALPROTO_UNKNOWN, SIG_FLAG_TOSERVER, 0,
             DetectEngineAptEventInspect, NULL);
@@ -226,7 +226,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const
             }
         }
         if (OutdatedEvent(arg)) {
-            if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+            if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) {
                 SCLogError("app-layer-event keyword no longer supports event \"%s\"", arg);
                 return -1;
             } else {
@@ -253,7 +253,7 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const
             r = DetectEngineGetEventInfo(event_name, &event_id, &event_type);
         }
         if (r < 0) {
-            if (SigMatchStrictEnabled(DETECT_AL_APP_LAYER_EVENT)) {
+            if (SigMatchStrictEnabled(DETECT_APP_LAYER_EVENT)) {
                 SCLogError("app-layer-event keyword's "
                            "protocol \"%s\" doesn't have event \"%s\" registered",
                         alproto_name, event_name);
@@ -274,15 +274,15 @@ static int DetectAppLayerEventSetup(DetectEngineCtx *de_ctx, Signature *s, const
     SCLogDebug("data->event_id %u", data->event_id);
 
     if (event_type == APP_LAYER_EVENT_TYPE_PACKET) {
-        if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data,
+        if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data,
                     DETECT_SM_LIST_MATCH) == NULL) {
             goto error;
         }
     } else {
         if (DetectSignatureSetAppProto(s, data->alproto) != 0)
             goto error;
 
-        if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_EVENT, (SigMatchCtx *)data,
+        if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_EVENT, (SigMatchCtx *)data,
                     g_applayer_events_list_id) == NULL) {
             goto error;
         }

src/detect-app-layer-protocol.c

@@ -215,7 +215,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
 
     SigMatch *tsm = s->init_data->smlists[DETECT_SM_LIST_MATCH];
     for ( ; tsm != NULL; tsm = tsm->next) {
-        if (tsm->type == DETECT_AL_APP_LAYER_PROTOCOL) {
+        if (tsm->type == DETECT_APP_LAYER_PROTOCOL) {
             const DetectAppLayerProtocolData *them = (const DetectAppLayerProtocolData *)tsm->ctx;
 
             if (HasConflicts(data, them)) {
@@ -227,7 +227,7 @@ static int DetectAppLayerProtocolSetup(DetectEngineCtx *de_ctx,
         }
     }
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_APP_LAYER_PROTOCOL, (SigMatchCtx *)data,
+    if (SigMatchAppendSMToList(de_ctx, s, DETECT_APP_LAYER_PROTOCOL, (SigMatchCtx *)data,
                 DETECT_SM_LIST_MATCH) == NULL) {
         goto error;
     }
@@ -331,8 +331,8 @@ PrefilterPacketAppProtoCompare(PrefilterPacketHeaderValue v, void *smctx)
 
 static int PrefilterSetupAppProto(DetectEngineCtx *de_ctx, SigGroupHead *sgh)
 {
-    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_AL_APP_LAYER_PROTOCOL,
-            SIG_MASK_REQUIRE_FLOW, PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
+    return PrefilterSetupPacketHeader(de_ctx, sgh, DETECT_APP_LAYER_PROTOCOL, SIG_MASK_REQUIRE_FLOW,
+            PrefilterPacketAppProtoSet, PrefilterPacketAppProtoCompare,
             PrefilterPacketAppProtoMatch);
 }
 
@@ -347,26 +347,20 @@ static bool PrefilterAppProtoIsPrefilterable(const Signature *s)
 
 void DetectAppLayerProtocolRegister(void)
 {
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Match =
-        DetectAppLayerProtocolPacketMatch;
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Setup =
-        DetectAppLayerProtocolSetup;
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].Free =
-        DetectAppLayerProtocolFree;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].name = "app-layer-protocol";
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].desc = "match on the detected app-layer protocol";
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].url = "/rules/app-layer.html#app-layer-protocol";
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Match = DetectAppLayerProtocolPacketMatch;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Setup = DetectAppLayerProtocolSetup;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].Free = DetectAppLayerProtocolFree;
 #ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].RegisterTests =
-        DetectAppLayerProtocolRegisterTests;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].RegisterTests = DetectAppLayerProtocolRegisterTests;
 #endif
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].flags =
-        (SIGMATCH_QUOTES_OPTIONAL|SIGMATCH_HANDLE_NEGATION);
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].flags =
+            (SIGMATCH_QUOTES_OPTIONAL | SIGMATCH_HANDLE_NEGATION);
 
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SetupPrefilter =
-        PrefilterSetupAppProto;
-    sigmatch_table[DETECT_AL_APP_LAYER_PROTOCOL].SupportsPrefilter =
-            PrefilterAppProtoIsPrefilterable;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SetupPrefilter = PrefilterSetupAppProto;
+    sigmatch_table[DETECT_APP_LAYER_PROTOCOL].SupportsPrefilter = PrefilterAppProtoIsPrefilterable;
 }
 
 /**********************************Unittests***********************************/

src/detect-dnp3.c

@@ -221,8 +221,8 @@ static int DetectDNP3FuncSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     }
     dnp3->function_code = function_code;
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3FUNC, (SigMatchCtx *)dnp3,
-                g_dnp3_match_buffer_id) == NULL) {
+    if (SigMatchAppendSMToList(
+                de_ctx, s, DETECT_DNP3FUNC, (SigMatchCtx *)dnp3, g_dnp3_match_buffer_id) == NULL) {
         goto error;
     }
 
@@ -299,8 +299,8 @@ static int DetectDNP3IndSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     }
     detect->ind_flags = flags;
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3IND, (SigMatchCtx *)detect,
-                g_dnp3_match_buffer_id) == NULL) {
+    if (SigMatchAppendSMToList(
+                de_ctx, s, DETECT_DNP3IND, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) {
         goto error;
     }
 
@@ -366,8 +366,8 @@ static int DetectDNP3ObjSetup(DetectEngineCtx *de_ctx, Signature *s, const char
     detect->obj_group = group;
     detect->obj_variation = variation;
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNP3OBJ, (SigMatchCtx *)detect,
-                g_dnp3_match_buffer_id) == NULL) {
+    if (SigMatchAppendSMToList(
+                de_ctx, s, DETECT_DNP3OBJ, (SigMatchCtx *)detect, g_dnp3_match_buffer_id) == NULL) {
         goto fail;
     }
 
@@ -453,17 +453,17 @@ static void DetectDNP3FuncRegister(void)
 {
     SCEnter();
 
-    sigmatch_table[DETECT_AL_DNP3FUNC].name          = "dnp3_func";
-    sigmatch_table[DETECT_AL_DNP3FUNC].alias         = "dnp3.func";
-    sigmatch_table[DETECT_AL_DNP3FUNC].desc          = "match on the application function code found in DNP3 request and responses";
-    sigmatch_table[DETECT_AL_DNP3FUNC].url           = "/rules/dnp3-keywords.html#dnp3-func";
-    sigmatch_table[DETECT_AL_DNP3FUNC].Match         = NULL;
-    sigmatch_table[DETECT_AL_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
-    sigmatch_table[DETECT_AL_DNP3FUNC].Setup         = DetectDNP3FuncSetup;
-    sigmatch_table[DETECT_AL_DNP3FUNC].Free          = DetectDNP3Free;
+    sigmatch_table[DETECT_DNP3FUNC].name = "dnp3_func";
+    sigmatch_table[DETECT_DNP3FUNC].alias = "dnp3.func";
+    sigmatch_table[DETECT_DNP3FUNC].desc =
+            "match on the application function code found in DNP3 request and responses";
+    sigmatch_table[DETECT_DNP3FUNC].url = "/rules/dnp3-keywords.html#dnp3-func";
+    sigmatch_table[DETECT_DNP3FUNC].Match = NULL;
+    sigmatch_table[DETECT_DNP3FUNC].AppLayerTxMatch = DetectDNP3FuncMatch;
+    sigmatch_table[DETECT_DNP3FUNC].Setup = DetectDNP3FuncSetup;
+    sigmatch_table[DETECT_DNP3FUNC].Free = DetectDNP3Free;
 #ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_DNP3FUNC].RegisterTests =
-        DetectDNP3FuncRegisterTests;
+    sigmatch_table[DETECT_DNP3FUNC].RegisterTests = DetectDNP3FuncRegisterTests;
 #endif
     SCReturn;
 }
@@ -472,17 +472,17 @@ static void DetectDNP3IndRegister(void)
 {
     SCEnter();
 
-    sigmatch_table[DETECT_AL_DNP3IND].name          = "dnp3_ind";
-    sigmatch_table[DETECT_AL_DNP3IND].alias         = "dnp3.ind";
-    sigmatch_table[DETECT_AL_DNP3IND].desc          = "match on the DNP3 internal indicator flags in the response application header";
-    sigmatch_table[DETECT_AL_DNP3IND].url           = "/rules/dnp3-keywords.html#dnp3-ind";
-    sigmatch_table[DETECT_AL_DNP3IND].Match         = NULL;
-    sigmatch_table[DETECT_AL_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
-    sigmatch_table[DETECT_AL_DNP3IND].Setup         = DetectDNP3IndSetup;
-    sigmatch_table[DETECT_AL_DNP3IND].Free          = DetectDNP3Free;
+    sigmatch_table[DETECT_DNP3IND].name = "dnp3_ind";
+    sigmatch_table[DETECT_DNP3IND].alias = "dnp3.ind";
+    sigmatch_table[DETECT_DNP3IND].desc =
+            "match on the DNP3 internal indicator flags in the response application header";
+    sigmatch_table[DETECT_DNP3IND].url = "/rules/dnp3-keywords.html#dnp3-ind";
+    sigmatch_table[DETECT_DNP3IND].Match = NULL;
+    sigmatch_table[DETECT_DNP3IND].AppLayerTxMatch = DetectDNP3IndMatch;
+    sigmatch_table[DETECT_DNP3IND].Setup = DetectDNP3IndSetup;
+    sigmatch_table[DETECT_DNP3IND].Free = DetectDNP3Free;
 #ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_DNP3IND].RegisterTests =
-        DetectDNP3IndRegisterTests;
+    sigmatch_table[DETECT_DNP3IND].RegisterTests = DetectDNP3IndRegisterTests;
 #endif
     SCReturn;
 }
@@ -491,17 +491,16 @@ static void DetectDNP3ObjRegister(void)
 {
     SCEnter();
 
-    sigmatch_table[DETECT_AL_DNP3OBJ].name          = "dnp3_obj";
-    sigmatch_table[DETECT_AL_DNP3OBJ].alias         = "dnp3.obj";
-    sigmatch_table[DETECT_AL_DNP3OBJ].desc          = "match on the DNP3 application data objects";
-    sigmatch_table[DETECT_AL_DNP3OBJ].url           = "/rules/dnp3-keywords.html#dnp3-obj";
-    sigmatch_table[DETECT_AL_DNP3OBJ].Match         = NULL;
-    sigmatch_table[DETECT_AL_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
-    sigmatch_table[DETECT_AL_DNP3OBJ].Setup         = DetectDNP3ObjSetup;
-    sigmatch_table[DETECT_AL_DNP3OBJ].Free          = DetectDNP3Free;
+    sigmatch_table[DETECT_DNP3OBJ].name = "dnp3_obj";
+    sigmatch_table[DETECT_DNP3OBJ].alias = "dnp3.obj";
+    sigmatch_table[DETECT_DNP3OBJ].desc = "match on the DNP3 application data objects";
+    sigmatch_table[DETECT_DNP3OBJ].url = "/rules/dnp3-keywords.html#dnp3-obj";
+    sigmatch_table[DETECT_DNP3OBJ].Match = NULL;
+    sigmatch_table[DETECT_DNP3OBJ].AppLayerTxMatch = DetectDNP3ObjMatch;
+    sigmatch_table[DETECT_DNP3OBJ].Setup = DetectDNP3ObjSetup;
+    sigmatch_table[DETECT_DNP3OBJ].Free = DetectDNP3Free;
 #ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_DNP3OBJ].RegisterTests =
-        DetectDNP3ObjRegisterTests;
+    sigmatch_table[DETECT_DNP3OBJ].RegisterTests = DetectDNP3ObjRegisterTests;
 #endif
     SCReturn;
 }
@@ -522,12 +521,13 @@ static void DetectDNP3DataRegister(void)
 {
     SCEnter();
 
-    sigmatch_table[DETECT_AL_DNP3DATA].name          = "dnp3.data";
-    sigmatch_table[DETECT_AL_DNP3DATA].alias         = "dnp3_data";
-    sigmatch_table[DETECT_AL_DNP3DATA].desc          = "make the following content options to match on the re-assembled application buffer";
-    sigmatch_table[DETECT_AL_DNP3DATA].url           = "/rules/dnp3-keywords.html#dnp3-data";
-    sigmatch_table[DETECT_AL_DNP3DATA].Setup         = DetectDNP3DataSetup;
-    sigmatch_table[DETECT_AL_DNP3DATA].flags |= SIGMATCH_NOOPT|SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[DETECT_DNP3DATA].name = "dnp3.data";
+    sigmatch_table[DETECT_DNP3DATA].alias = "dnp3_data";
+    sigmatch_table[DETECT_DNP3DATA].desc =
+            "make the following content options to match on the re-assembled application buffer";
+    sigmatch_table[DETECT_DNP3DATA].url = "/rules/dnp3-keywords.html#dnp3-data";
+    sigmatch_table[DETECT_DNP3DATA].Setup = DetectDNP3DataSetup;
+    sigmatch_table[DETECT_DNP3DATA].flags |= SIGMATCH_NOOPT | SIGMATCH_INFO_STICKY_BUFFER;
 
     DetectAppLayerInspectEngineRegister("dnp3_data", ALPROTO_DNP3, SIG_FLAG_TOSERVER, 0,
             DetectEngineInspectBufferGeneric, GetDNP3Data);

src/detect-dns-answer-name.c

@@ -72,12 +72,12 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
 void DetectDnsAnswerNameRegister(void)
 {
     static const char *keyword = "dns.answer.name";
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].name = keyword;
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].Setup = DetectSetup;
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
-    sigmatch_table[DETECT_AL_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].name = keyword;
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].desc = "DNS answer name sticky buffer";
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].url = "/rules/dns-keywords.html#dns-answer-name";
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].Setup = DetectSetup;
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_DNS_ANSWER_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     /* Register in the TO_SERVER direction, even though this is not
        normal, it could be provided as part of a request. */

src/detect-dns-opcode.c

@@ -42,8 +42,8 @@ static int DetectDnsOpcodeSetup(DetectEngineCtx *de_ctx, Signature *s,
         return -1;
     }
 
-    if (SigMatchAppendSMToList(de_ctx, s, DETECT_AL_DNS_OPCODE, (SigMatchCtx *)detect,
-                dns_opcode_list_id) == NULL) {
+    if (SigMatchAppendSMToList(
+                de_ctx, s, DETECT_DNS_OPCODE, (SigMatchCtx *)detect, dns_opcode_list_id) == NULL) {
         goto error;
     }
 
@@ -72,13 +72,12 @@ static int DetectDnsOpcodeMatch(DetectEngineThreadCtx *det_ctx,
 
 void DetectDnsOpcodeRegister(void)
 {
-    sigmatch_table[DETECT_AL_DNS_OPCODE].name  = "dns.opcode";
-    sigmatch_table[DETECT_AL_DNS_OPCODE].desc  = "Match the DNS header opcode flag.";
-    sigmatch_table[DETECT_AL_DNS_OPCODE].Setup = DetectDnsOpcodeSetup;
-    sigmatch_table[DETECT_AL_DNS_OPCODE].Free  = DetectDnsOpcodeFree;
-    sigmatch_table[DETECT_AL_DNS_OPCODE].Match = NULL;
-    sigmatch_table[DETECT_AL_DNS_OPCODE].AppLayerTxMatch =
-        DetectDnsOpcodeMatch;
+    sigmatch_table[DETECT_DNS_OPCODE].name = "dns.opcode";
+    sigmatch_table[DETECT_DNS_OPCODE].desc = "Match the DNS header opcode flag.";
+    sigmatch_table[DETECT_DNS_OPCODE].Setup = DetectDnsOpcodeSetup;
+    sigmatch_table[DETECT_DNS_OPCODE].Free = DetectDnsOpcodeFree;
+    sigmatch_table[DETECT_DNS_OPCODE].Match = NULL;
+    sigmatch_table[DETECT_DNS_OPCODE].AppLayerTxMatch = DetectDnsOpcodeMatch;
 
     DetectAppLayerInspectEngineRegister(
             "dns.opcode", ALPROTO_DNS, SIG_FLAG_TOSERVER, 0, DetectEngineInspectGenericList, NULL);

src/detect-dns-query-name.c

@@ -72,12 +72,12 @@ static InspectionBuffer *GetBuffer(DetectEngineThreadCtx *det_ctx,
 void DetectDnsQueryNameRegister(void)
 {
     static const char *keyword = "dns.query.name";
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].name = keyword;
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].Setup = DetectSetup;
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
-    sigmatch_table[DETECT_AL_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[DETECT_DNS_QUERY_NAME].name = keyword;
+    sigmatch_table[DETECT_DNS_QUERY_NAME].desc = "DNS query name sticky buffer";
+    sigmatch_table[DETECT_DNS_QUERY_NAME].url = "/rules/dns-keywords.html#dns-query-name";
+    sigmatch_table[DETECT_DNS_QUERY_NAME].Setup = DetectSetup;
+    sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_DNS_QUERY_NAME].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     /* Register in both directions as the query is usually echoed back
        in the response. */

src/detect-dns-query.c

@@ -96,16 +96,16 @@ static InspectionBuffer *DnsQueryGetData(DetectEngineThreadCtx *det_ctx,
  */
 void DetectDnsQueryRegister (void)
 {
-    sigmatch_table[DETECT_AL_DNS_QUERY].name = "dns.query";
-    sigmatch_table[DETECT_AL_DNS_QUERY].alias = "dns_query";
-    sigmatch_table[DETECT_AL_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
-    sigmatch_table[DETECT_AL_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
-    sigmatch_table[DETECT_AL_DNS_QUERY].Setup = DetectDnsQuerySetup;
+    sigmatch_table[DETECT_DNS_QUERY].name = "dns.query";
+    sigmatch_table[DETECT_DNS_QUERY].alias = "dns_query";
+    sigmatch_table[DETECT_DNS_QUERY].desc = "sticky buffer to match DNS query-buffer";
+    sigmatch_table[DETECT_DNS_QUERY].url = "/rules/dns-keywords.html#dns-query";
+    sigmatch_table[DETECT_DNS_QUERY].Setup = DetectDnsQuerySetup;
 #ifdef UNITTESTS
-    sigmatch_table[DETECT_AL_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
+    sigmatch_table[DETECT_DNS_QUERY].RegisterTests = DetectDnsQueryRegisterTests;
 #endif
-    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_NOOPT;
-    sigmatch_table[DETECT_AL_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
+    sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_NOOPT;
+    sigmatch_table[DETECT_DNS_QUERY].flags |= SIGMATCH_INFO_STICKY_BUFFER;
 
     DetectAppLayerMultiRegister(
             "dns_query", ALPROTO_DNS, SIG_FLAG_TOSERVER, 1, DnsQueryGetData, 2, 1);