Additionally, can suricata forward this data to an external script for processing?
It shouldn’t work. I have tried this idea. When the host performance is sufficient, Suricata seems to be able to record completely at the beginning, but later it seems not to be able to do so. At the beginning, it can record 100 pcaps a day, but after a week or even longer, it can only record 20 pcaps a day. The specific reason has not been analyzed yet, but it seems that there is a problem.
Suricata has the pcap-log output. This records all traffic seen by Suricata to pcap files, much as if you were using another tool like tcpdump to do the same.
See 12.1. Suricata.yaml — Suricata 7.0.10 documentation for more information.