I created a custom correlation rule that basically says if you see any DNS (port 53) traffic that does not contain IP address ) xxx.xxx.xxx.xxx (our internal DNS Server) then fire rule and send an email alert (configured under alert section).

The issue I have is that once I turned that on the rule, I was immediately spammed by the same 5-6 clients using rogue DNS servers over and over.

I tried the "if this rule is fired then snooze for 5 minutes" setting but that seems to disable the entire rule so now I am only seeing 1 of the 5-6 clients, whichever one it alerts on first, then the rule is off for 5 minutes, rinse and repeat.

It seems that instead of treating each firing of the rule unique to the IP address associated, it treats them all as 1 big rule.

Does anyone know a way around this or experience something similar?

I suppose once we have them all cleaned up the theory is we should only get 1 at a time but this is going to muck up other potential alerts rules etc,.