Suricata

Here's an odd one.

I am using a dataset to determine if further processing of a packet is worthwhile. I test three rules:

rule 1:
alert any any -> any 1024 (msg:"dataset check, flowbit set"; ip.dst; dataset:isset,interestingips,type ipv4; content:"|some content which exists in the request|"; flowbits:set,checkbit; sid:1; priority:1; )

rule 2:
alert any 1024 -> any any (msg:"flowbit check, response check"; flowbits:isset,checkbit; content:"|some content which exists in the response|"; sid:2; priority:2; )

rule 3:
alert any 1024 -> any any (msg:"flowbit check, dataset check, and response check"; flowbits:isset,checkbit; ip.src; dataset:isset, interestingips, type ipv4; pkt_data; content:"|some content which exists in the response|"; sid:3; priority:2; )

what's odd:

I have a pcap in which a client makes a request to a server. the server is in the dataset `interestingips`. the server responds with the `some content which exists in the response` payload.

Rule 3 alerts, but rule 2 does not alert.

It's almost like rule 2 is executed against both packets with highest priority, and then rule 1 and rule 3 are executed against both packets but only after rule 2 was finished evaluating. Basically rule 2 should fire (in my opinion), but it does not.

I suspect that, under the hood, suricata evaluates rules which use datasets with a much lower priority than all other rules? I suppose this makes sense, perhaps dataset use is an expensive operation or something...so I'm not sure whether this is a bug with suricata is a bug in documentation.