Dataset rules not triggering at all

AntoninHL · December 7, 2023, 2:50pm

Hi teams,

I try to use dataset with rules.

I created a specific rule using dataset.

I have double check that each line contains only the datasets base64 string and nothing else - no spaces at the end of the line,tabs,carriage returns etc …

But no alert raised with this rule…
It works with basic rules not using dataset…

Any idea?

Thanks

Antonin

sbhardwaj · December 8, 2023, 7:45am

Hi @AntoninHL ! Welcome to our forum!
Could you please share the rules and if possible a pcap which you’d expect them to alert on?
Also, the Suricata version that you’re running.

vjulien · December 8, 2023, 6:35pm

There are working examples in our regression test suite, e.g.

Topic		Replies	Views
Dataset rules not triggering Rules	3	707	February 8, 2021
Help with datasets and DNS Rules	7	1517	March 11, 2024
Dns.query and dataset Rules	11	4686	November 29, 2020
Dataset match in rule message? Rules	3	767	May 4, 2021
Suricata-update - Error -- Dataset file was not found Rules	2	97	July 31, 2024

Dataset rules not triggering at all

Related topics