Please include the following information with your help request:
- 6.0.10
- debian
- installed from packages
We have configured a dataset like this
datasets:
allow-absolute-filenames: true
rules:
allow-absolute-filenames: true
allow-write: true
dns-bl:
type: string
state: /var/lib/suricata/internal/dns-bl.list
the file /var/lib/suricata/internal/dns-bl.list exists and contains base64 encoded strings.
the rule we are using is this
alert dns 10.122.65.0/24 any -> any any (msg:"DENIC dns.query to malicious site";classtype:denic-informational; dns.query; dataset:isset,dns-bl;sid:1000012;rev:1)
but we can’t trigger an alert when running dig to a domain listed in the dns-bl.list file.
Any help would be appreciated.
Regards
Thorsten