Sorry if this is a really noobish question.. I am still fairly noobish in all things Sourcefire. I've had a poke around and a google but did not stumble on anything that stood out as usefull.
The DNS rules on our sourcefire module (asa 5516-x) are matching and dropping queries to subdomains of a higher level domain that I know is ok. Anything outside of that domain, is potentially still sus. Is there a way to tell the module to ignore a particular domain and all its subdomains for a specific rule? If not, can it be done globally for all DNS traffic?
Specifics:
Intrusion Rule: (3:31738) PROTOCOL-DNS domain not found containing random-looking hostname - possible DGA detected
Matches a DNS query like: asdfwertgsdfsdfasf.fdewqtargfasdf.net.surbl.example.com
I know surbl.example.com is used legitimately by my mail system to look up dodgy domains. Firewalls dropping the query will cause inaccurate results for the mail system.
If someone did a query for asdfwertgsdfsdfasf.fdewqtargfasdf.net I would still want the SFR module to pick up on it however.
SFR module running v5.4
Thanks in advance for your thoughts and advice.
Phill
