Suricata

The following rule doesn't match on the content of the pcap:

alert http any any -> $HOME_NET any (msg:"HTTP learning"; flow:established,to_client; http.content_type; content:"noone"; http.server; content:"ECS"; fast_pattern; dataset:set,http,type string,state output/http.intel; sid:2; rev:1; priority:2;)

But the data for the dataset is still set. This is not expected if we compare datasets to behave like flowbits at that point. A flowbit is only set POSTMATCH, so dataset should as well when setting actual data to a set.

Attached pcap to reproduce it.
Suricata-Verify test will follow