From feb7d0e187d2a6276d2b1ecbd0c2f8713d683bb8 Mon Sep 17 00:00:00 2001
From: Nate Guagenti <neu5ron@users.noreply.github.com>
Date: Mon, 23 Aug 2021 14:11:04 -0400
Subject: [PATCH] Update zeek_dns_mining_pools.yml

---
 rules/network/zeek/zeek_dns_mining_pools.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/network/zeek/zeek_dns_mining_pools.yml b/rules/network/zeek/zeek_dns_mining_pools.yml
index 8be5222b3..91d878243 100644
--- a/rules/network/zeek/zeek_dns_mining_pools.yml
+++ b/rules/network/zeek/zeek_dns_mining_pools.yml
@@ -93,8 +93,8 @@ detection:
     exclude_rejected:
         rejected: "true"
     condition: selection and not (exclude_answers OR exclude_rejected)
-falsepositives: |
-    A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
+falsepositives:
+    - A DNS lookup does not necessarily  mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those IPs. b) verify if HTTP, SSL, or TLS activity to the domain that was queried. http.log field is "host" and ssl/tls is "server_name".
 fields:
     - id.orig_h
     - id.resp_h