Slips is detecting spamhaus lookups as possible DGA

[AlyaGomaa]

Output: matterhorn at /StratosphereLinuxIPS/output/alya_testing_latency_after_optimizing_profiler

2025-11-28T20:30:33.374545+00:00 (TW 9): Src IP X . Detected Possible DGA or domain scanning. X failed to resolve 10 different domains threat level: high.

{"Version": "2.0.3", "Analyzer": {"IP": "147.32.80.37", "Name": "Slips", "Model": "1.1.15", "Category": ["NIDS"], "Data": ["Flow", "Network"], "Method": ["Heuristic"]}, "Status": "Event", "ID": "ac33998d-57f8-48ce-8a0c-5c05d3455972", "Severity": "High", "StartTime": "2025-11-28T20:30:33.374545+00:00", "CreateTime": "2025-11-28T21:53:03.919066+00:00", "Confidence": 0.1.........., "Note": "{"uids": ["CrdCTNwaOetPPQW8l", "CaaYwdGVNnv64oxXd", "CUpVQp1zwSgGPgF9o6", "CEl08c3Vb8ezyjWow6", "CRhvWCg6zty8iBoPc", "CySWzf3kz9pvZYmLsf", "CaQSMGnHWAuazfAO9", "CIooHf33YufD2Ayk5i", "CgDwGekWMYA90r39", "CgV1HA2PZlY4w92hv4"], "accumulated_threat_level": 6.000000000000004, "threat_level": "high", "timewindow": 9}"}

All flows correspond to spamhaus or whois DNS lookups, should alerts from these domains be whitelisted/excluded from DGA evidence since they're done by slips?