ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain - filter out known FQDN?

What is the best method to allow these alerts, but filter out for certain * queries
which are legitimate ?

emerging-info.rules:alert dns $HOME_NET any → any any (msg:“ET INFO DYNAMIC_DNS Query to a Suspicious no-ip Domain”; dns_query; content:“.no-ip.”; classtype:bad-unknown; sid:2013743; rev:4; metadata:created_at 2011_10_05, former_category HUNTING, updated_at 2020_08_17;)

Deleting or disabling the alert is certainly not desirable.

What is needed is a specific list of FQDN that are valid, and known, but alert on all others.
example: VALID VALID

Perhaps my searching through documents missed a method to configure hostnames
in a manner similar to HOME_NET in suricata.yaml, so particular hostnames would be ignored by the alert ?

Appreciate input.


Have you looked into Suricata’s dataset support? I think this will work for your scenario but you’ll have to run through the details and confirm it supports your workflow. See 6.34. Datasets — Suricata 6.0.6 documentation

Thanks Jeff, will take a look.

Depending on how many ‘valids’ we are talking about here, you could add them to the signature as negations.

For example → content:“.no-ip.”; content:!“”;

This would not alert on ‘’ but would continue alerting on the non-valids/unknowns.

Thanks for the suggestion, this would apply to a few other alerts where the same
situation holds true, we want the alerts, but exempt a few specifics. Also experimenting
with the suppress files.

Thank you !