Datasets not working

Please include the following information with your help request:

  • 6.0.10
  • debian
  • installed from packages

We have configured a dataset like this

datasets:
  allow-absolute-filenames: true
  rules:
    allow-absolute-filenames: true
    allow-write: true
  dns-bl:
    type: string
    state: /var/lib/suricata/internal/dns-bl.list

the file /var/lib/suricata/internal/dns-bl.list exists and contains base64 encoded strings.
the rule we are using is this

alert dns 10.122.65.0/24 any -> any any (msg:"DENIC dns.query to malicious site";classtype:denic-informational; dns.query; dataset:isset,dns-bl;sid:1000012;rev:1)

but we can’t trigger an alert when running dig to a domain listed in the dns-bl.list file.
Any help would be appreciated.
Regards
Thorsten

Hi,

first of all 6.0.10 is very old, the latest stable relase for the 6.0 branch is 6.0.20 which is also the last release since version 6 is EOL. So upgrading to version 7 is recommended.

Please post the suricata --build-info output, the full suricata.yaml (remove sensitive data), the run command that you use and also the suricata.log to check for messages there.

In addition to that, check the eve.json if you see related flow and dns events for your dig tests, so that Suricata actually sees the traffic.