Configuring Suricata Datasets for enabling IDS

I am successfully established suricata as IDPS in my PC. Now I trying to create signature rule to generate an alert for zoom, spotify and mega applications with the help of Datasets Keyword in suricata documentation. But the logs are not generated by suricata. I think i am configuring dataset in wrong way.
Kindly please help me.

Thanks & Regards
Prateek Sharma

Please help sir.
Big Fan.

Multiple points here:

  • the dataset file is string so it needs base64 encoding
  • dataset is full string match so you need to put the full hostname and not a substring

So if i put full domain name in the dns-bl.lst such as and all. Then it will work?

you need to look at the dns events generated when you sniff the traffic with suricata and then reuse the value.

Sir, i looked at the dns traffic that i captured in the wireshark. The domain name for zoom is when i created a normal rule to detect zoom traffic then it worked. I just put zoom keyword in the content of my signature rule.

so yes put in the dataset


  1. I created dns-bl.lst file in /etc/suricata/rules
  2. In dns-bl.lst i put,,
  3. Add datasets:
    type: string
    state: dns-bl.lst
  4. Go to /etc/suricata/rules/custom.rules and add a custom i.e alert ip any any → any any (msg:”APP_DETECT”; dns.query; dataset:isset,dns-bl; sid:123; rev:1;)
  5. go to suricata.yaml file and add custom.rules at rule-files
  6. run commands iptables -t mangle -I INPUT -j NFQUEUE --queue-num 1
  7. Run Command iptables -t mangle -I OUTPUT -j NFQUEUE --queue-num 1
  8. service suricata restart
  9. tail -100f /var/log/suricata/fast.log
  10. Not getting the alerts.

Sir, all the configuration files are correct as i created many rules and also tested them. Suricata working properly with that rules. I am just enthusiast to create signature rules by using datasets.
Help me!!

run suricata in command line to see the errors. The dataset file for example is not base64 encoded so you should have a message in the log.

The quotes which i’ve highlighted in blue, are not normal quotes. Replace them with " instead of the “directional” quotes.

This is common when copy/pasting from rich text editors. I’ve suffered from this problem WAY too much.

wonder if we can “just” support the directional quotes

Shouldn’t be hard… Should proper symmetry be enforced as in must be terminated with a . Or allow nesting?

alert ... (msg:"Directional “directional” quotes found"; ...)

Expectations may differ here.

I have corrected all the errors that are appearing in the previous photo. Now the current status is this.

@ish @Eric_Leblond
Respected Members,
Finally, i am getting logs. But still not working.
I have some queries mentioned below such as the websites with the same domain names are still opening and the applications of the same are working. Kindly Check my steps and resolve my query that why the websites are working. I am still confused that the applications are blocked with my signature rule or some network issue, because without opening the specific application i mentioned in the dataset(dns-bl.lst) the logs generate.

  • suricata.yaml -> datasets:
                           type: string
                           state: dns-bl.lst
  • create a dataset name dns-bl.lst

  • Create a Suricata custom rule: drop ip any any → any any (msg:“Datasets Configured”; dns_query; dataset:set,dns-bl,type string; sid:2736971; rev:1;)

List of Queries:

  • Getting logs without opening the specific applications mentioned in the dataset.
  • The urls are still working after the execution of signature rule
  • As mentioned in the documentation it’s be like this dataset:isset,dns-bl but via doing this not a single log generate but via doing dataset:set,dns-bl generate logs.

@Eric_Leblond @Regit @ish
I am waiting for you reply to resolve my query since from yesterday.
Please help me.