Hey Jeff,
I’m using Suricata to generate alerts which are fed into an external program for normalization. I’m trying to figure out the best way to do step 3 below. How can I know that Suricata is done processing a particular pcap file? Should I follow a different approach perhaps by having Suricata write using a unix_stream? I figured using plain ASCII files on the filesystem would be easier.
- A program sends a pcap file to Suricata which is running in --unix-socket mode
- Suricata writes to a eve.json file(s).
3. An external program extracts the fields it needs fromthe eve.json file(s). Then converts into a pipe separate file. - The pipe separated file is sent to yet another tool for further processing.