<div dir="ltr"><div dir="ltr">Jordon, I can't think of any way to filter alerts generated by a DNS server based on which client is querying it. According to Joao G, this particular IP range is used for active investigations and often legitimate domains get sinkholed to this range (ref: <a href="https://lists.emergingthreats.net/pipermail/emerging-sigs/2017-July/028241.html">https://lists.emergingthreats.net/pipermail/emerging-sigs/2017-July/028241.html</a>), you may want to disable this signature.</div><div dir="ltr"><br></div><div>-T</div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Jan 15, 2019 at 8:12 AM Jordon Carpenter <<a href="mailto:jordon.carpenter@rooksecurity.com">jordon.carpenter@rooksecurity.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="overflow-wrap: break-word;"><div style="font-family:Helvetica,Arial;font-size:13px">Team,</div><div style="font-family:Helvetica,Arial;font-size:13px"><br></div><div style="font-family:Helvetica,Arial;font-size:13px">This signature:</div><div style="font-family:Helvetica,Arial;font-size:13px"><br></div><div style="margin:0px">ET TROJAN DNS Reply Sinkhole - Anubis - <a href="http://195.22.26.192/26" target="_blank">195.22.26.192/26</a></div><div style="margin:0px"><br></div><div style="margin:0px">is generating a ton of alerts from a BYOD network in which I do not care about at this time. Is there anyway we can pass traffic related to a BYOD network even though this signature is identifying the source as a DNS server(which I do not want to suppress)?</div><br><div class="gmail-m_3194603254096278606gmail_signature"><span style="color:rgb(34,34,34);font-variant-ligatures:normal;font-size:14px;font-family:roboto,sans-serif"><strong><span style="color:rgb(0,0,0)">Thanks,<br>Jordon Carpenter</span></strong></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-variant-ligatures:normal"><span style="font-variant-ligatures:normal;font-size:12px;font-family:roboto,sans-serif"><a href="https://www.rooksecurity.com/" style="color:rgb(0,0,0)" target="_blank">Rook Security</a></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-variant-ligatures:normal"><span style="color:rgb(34,34,34);font-variant-ligatures:normal;font-size:12px;font-family:roboto,sans-serif"><em><span style="color:rgb(0,0,0)">Anticipate, Manage, & Eliminate Threats</span></em></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-variant-ligatures:normal"><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-variant-ligatures:normal"><span style="font-variant-ligatures:normal;font-size:12px;font-family:roboto,sans-serif">O: <a href="tel:(888)%20712-9531" value="+18887129531" style="color:rgb(17,85,204)" target="_blank">888.712.9531 x734</a></span><br style="color:rgb(34,34,34);font-family:arial,sans-serif;font-size:12.8px;font-variant-ligatures:normal"><span style="font-variant-ligatures:normal;font-size:12px;font-family:calibri,sans-serif"><span style="font-family:roboto,sans-serif">E: <a href="mailto:jordon.carpenter@rooksecurity.com" style="color:rgb(17,85,204)" target="_blank">jordon.carpenter@rooksecurity.com</a><br><br></span><span style="font-family:roboto,sans-serif"><a href="https://www.facebook.com/rookteam" style="color:rgb(17,85,204)" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-FB.png" border="0" alt="rookteam" class="gmail-m_3194603254096278606CToWUd"></a>    <a href="https://twitter.com/rooksecurity" style="color:rgb(17,85,204)" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-TW.png" border="0" alt="rooksecurity" class="gmail-m_3194603254096278606CToWUd"></a>    <a href="https://www.linkedin.com/company/rook-security" style="color:rgb(17,85,204)" target="_blank"><img src="https://d23fetfglg1ija.cloudfront.net/signature_fields/56feae2eecca0b0003125675/A-LI.png" border="0" alt="Rook LinkedIn" class="gmail-m_3194603254096278606CToWUd"></a></span><br><br><br><span style="font-size:10px"><span style="font-family:roboto,sans-serif">This e-mail may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply e-mail and delete all copies of this message.</span></span></span></div></div>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org" target="_blank">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
<br>
Conference: <a href="https://suricon.net" rel="noreferrer" target="_blank">https://suricon.net</a><br>
Trainings: <a href="https://suricata-ids.org/training/" rel="noreferrer" target="_blank">https://suricata-ids.org/training/</a></blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature">PGP: ABE625E6<br><a href="http://keybase.io/travisbgreen" target="_blank">keybase.io/travisbgreen</a></div>