Datasets
========
-.. warning:: This is an experimental feature. Syntax and functionality may
- change in future releases.
-
Using the ``dataset`` and ``datarep`` keyword it is possible to match on
large amounts of data against any sticky buffer.
type <type>
the data type: string, md5, sha256
-save <file name>
- file name for saving the in-memory data when Suricata exits
load <file name>
file name for load the data when Suricata starts up
state
- sets both 'save' and 'load' to the same value
+ sets file name for loading and saving a dataset
+save <file name>
+ advanced option to set the file name for saving the in-memory data
+ when Suricata exits.
-.. note:: 'load' or 'load' plus 'save' and 'state' cannot be mixed.
+.. note:: 'load' and 'state' or 'save' and 'state' cannot be mixed.
datarep
~~~~~~~
value is higher than 200.
+Rule Reloads
+------------
+
+Sets that are defined in the yaml, or sets that only use `state` or `save`, are
+considered `dynamic` sets. These are not reloaded during rule reloads.
+
+Sets that are defined in rules using only `load` are considered `static` tests.
+These are not expected to change during runtime. During rule reloads these are
+reloaded from disk. This reload is effective when the complete rule reload
+process is complete.
+
+
Unix Socket
-----------
dataset-add myset string Z29vZ2xlLmNvbQ==
+dataset-remove
+~~~~~~~~~~~~~~
+
+Unix Socket command to remove data from a set. On success, the removal becomes
+active instantly.
+
+Syntax::
+
+ dataset-remove <set name> <set type> <data>
+
+set name
+ Name of an already defined dataset
+type
+ Data type: string, md5, sha256
+data
+ Data to remove in serialized form (base64 for string, hex notation for md5/sha256)
File formats
------------
projects / thirdparty / suricata.git / commitdiff
