From 1c79f2a5c64982d1a1a36c6f4f7427733b8dc411 Mon Sep 17 00:00:00 2001
From: alya <alyaggomaa@gmail.com>
Date: Thu, 14 Nov 2024 13:45:07 +0200
Subject: [PATCH] dns.py: check for whitelisted whitelist dst domains when
 detecting DGA

---
 modules/flowalerts/dns.py                              | 2 +-
 slips_files/core/helpers/whitelist/domain_whitelist.py | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/modules/flowalerts/dns.py b/modules/flowalerts/dns.py
index 30f889f83..310708968 100644
--- a/modules/flowalerts/dns.py
+++ b/modules/flowalerts/dns.py
@@ -311,7 +311,7 @@ def detect_dga(self, profileid, twid, flow):
             or flow.query.endswith(".arpa")
             or flow.query.endswith(".local")
             or self.flowalerts.whitelist.domain_analyzer.is_whitelisted(
-                flow.query, Direction.SRC, "alerts"
+                flow.query, Direction.DST, "alerts"
             )
         ):
             return False
diff --git a/slips_files/core/helpers/whitelist/domain_whitelist.py b/slips_files/core/helpers/whitelist/domain_whitelist.py
index 1dcd9ad47..112c6eaf3 100644
--- a/slips_files/core/helpers/whitelist/domain_whitelist.py
+++ b/slips_files/core/helpers/whitelist/domain_whitelist.py
@@ -62,7 +62,7 @@ def is_whitelisted(
         the given domain
         :param domain: domain to check if whitelisted
         :param direction: is the given domain src or dst domain?
-        :param should_ignore: can be flows or alerts
+        :param should_ignore: which whitelist to check? can be flows or alerts
         """
 
         if not isinstance(domain, str):