False positive for SID 2015813?: DNS Query Sinkhole Domain

I rather doubt that is a dubious DNS server.
05/13/2023-22:26:21.656297 [Drop] [**] [1:2015813:8] ET MALWARE DNS Query Sinkhole Domain Various Families (Possible Infected Host) [**] [Classification: Potentially Bad Traffic] [Priority: 2] {UDP} ->

Hi @jimoe - for this particular signature the alert is against the activity of the host - not the destination (DNS server in this case).

Here, a host within your network has queried against torpig-sinkhole[dot]org (a sinkhole domain for the torpig botnet) - it’s possible this host is infected. The alert itself is not an indictment against the queried DNS server.