Cool! Yeah, my issue with the tcpreplay was that our SIEM uses the time of the alert, and suricata was seeing the traffic as the original timestamp. Didn’t quote work as intended. Gonna edit my command with an update too. Finally got to look at what I wrote today…