diff --git a/rules/linux/lnx_susp_named.yml b/rules/linux/lnx_susp_named.yml
index 6e6709240..128300cc2 100644
--- a/rules/linux/lnx_susp_named.yml
+++ b/rules/linux/lnx_susp_named.yml
@@ -10,10 +10,10 @@ logsource:
     product: linux
     service: syslog
 detection:
-    keywords|contains:
-        - ' dropping source port zero packet from '
-        - ' denied AXFR from '
-        - ' exiting (due to fatal error)'
+    keywords:
+        - '* dropping source port zero packet from *'
+        - '* denied AXFR from *'
+        - '* exiting (due to fatal error)*'
     condition: keywords
 falsepositives:
     - Unknown