hello, I use datarep to detect the domains in my blacklist.
I have a blacklist file like below
cGh4bWZnLmNv,300,phxmfg.co
bW9kZXJubWVhZG93LmNv,300,modernmeadow.co
bHNvcGxleGlzLmNvbQ==,300,lsoplexis.com
and below is the rule which were written with reference to the documents here
alert dns any any -> any any (msg:"dns blacklist detected"; dns.query; datarep:dns_string, >, 200, load /home/test/domain.blacklist, type string; classtype:test;sid:12345678;)
But it doesn’t work with the subdomain, how to make it effective for subdomains.