What is the best method to allow these alerts, but filter out for certain *.no-ip.org queries
which are legitimate ?
emerging-info.rules:alert dns $HOME_NET any → any any (msg:“ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain”; dns_query; content:“.no-ip.”; classtype:bad-unknown; sid:2013743; rev:4; metadata:created_at 2011_10_05, former_category HUNTING, updated_at 2020_08_17;)
Deleting or disabling the alert is certainly not desirable.
What is needed is a specific list of FQDN that are valid, and known, but alert on all others.
example:
Perhaps my searching through documents missed a method to configure hostnames
in a manner similar to HOME_NET in suricata.yaml, so particular hostnames would be ignored by the alert ?
Have you looked into Suricata’s dataset support? I think this will work for your scenario but you’ll have to run through the details and confirm it supports your workflow. See 6.34. Datasets — Suricata 6.0.6 documentation
Thanks for the suggestion, this would apply to a few other alerts where the same
situation holds true, we want the alerts, but exempt a few specifics. Also experimenting
with the suppress files.