LoFP / a dns lookup does not necessarily mean a successful attempt, verify a) if there was a response using the zeek answers field, if there was then verify the connections (conn.log) to those ips. b) verify if http, ssl, or tls activity to the domain that was queried. http.log field is 'host' and ssl/tls is 'server_name'.

condition: selection and not 1 of exclude_*
exclude_answers:
  answers:
  - 127.0.0.1
  - 0.0.0.0
exclude_rejected:
  rejected: 'true'
selection:
  query|endswith:
  - monerohash.com
  - do-dear.com
  - xmrminerpro.com
  - secumine.net
  - xmrpool.com
  - minexmr.org
  - hashanywhere.com
  - xmrget.com
  - mininglottery.eu
  - minergate.com
  - moriaxmr.com
  - multipooler.com
  - moneropools.com
  - xmrpool.eu
  - coolmining.club
  - supportxmr.com
  - minexmr.com
  - hashvault.pro
  - xmrpool.net
  - crypto-pool.fr
  - xmr.pt
  - miner.rocks
  - walpool.com
  - herominers.com
  - gntl.co.uk
  - semipool.com
  - coinfoundry.org
  - cryptoknight.cc
  - fairhash.org
  - baikalmine.com
  - tubepool.xyz
  - fairpool.xyz
  - asiapool.io
  - coinpoolit.webhop.me
  - nanopool.org
  - moneropool.com
  - miner.center
  - prohash.net
  - poolto.be
  - cryptoescrow.eu
  - monerominers.net
  - cryptonotepool.org
  - extrmepool.org
  - webcoin.me
  - kippo.eu
  - hashinvest.ws
  - monero.farm
  - linux-repository-updates.com
  - 1gh.com
  - dwarfpool.com
  - hash-to-coins.com
  - pool-proxy.com
  - hashfor.cash
  - fairpool.cloud
  - litecoinpool.org
  - mineshaft.ml
  - abcxyz.stream
  - moneropool.ru
  - cryptonotepool.org.uk
  - extremepool.org
  - extremehash.com
  - hashinvest.net
  - unipool.pro
  - crypto-pools.org
  - monero.net
  - backup-pool.com
  - mooo.com
  - freeyy.me
  - cryptonight.net
  - shscrypto.net