datasets:
# Default fallback memcap and hashsize values for datasets in case these
# were not explicitly defined.
defaults:
memcap: 100mb
hashsize: 2048
test:
type: sha256
load: /etc/suricata/test.list
Creating the list: echo -n "test.xyz" | sha256sum | awk '{print $1}' > test.list
The test rule: alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256 dataset:isset,test; sid:1;)
I tried changing the type to string and doing echo -n test.xyz | base64 > test.list instead and using type:string and removing to_sha256. That works.
Tested using the jason ish docker container running 6.0.2
In general if the rrname matches it will and should alert.
If you test with base64 than you need to remove the to_sha256 from the rule though (and adjust the type to string in the yaml config as well) - just for record keeping , you might have already done it.
Can you try a basic test - match on the domain without any datasets , just regular rule based domain match - just to confirm everything is ok with the setup.
My bad. I did a double take and I must have missed something.
This works for me now.
Same hash in the list, type: sha256 and alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256; dataset:isset,test; sid:1;) in the rulefile.
Is there a way to get how many entries against each dataset actually has been loaded? Some data may be bad, which get rejected by suricata. It will be really helpful to know how many data actually got loaded in the engine.