My bad. I did a double take and I must have missed something.
This works for me now.
Same hash in the list, type: sha256 and alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256; dataset:isset,test; sid:1;) in the rulefile.
My bad. I did a double take and I must have missed something.
This works for me now.
Same hash in the list, type: sha256 and alert dns any any -> any any (msg:"testrule"; dns_query; to_sha256; dataset:isset,test; sid:1;) in the rulefile.