Jason Ish

I'm not to sure about this one. I don't like to make guesses or assumptions. Do you have an example use case in mind? If using the parser as a...

I can't see any reason in the code that this would exit. Have you run this minimal version and seen it exit? If a loop like this is running in...

Yes, the fix will be to remove the field from the decode rules and loop through the options. This stuff has been removed from suricata-update already as its not relevant...

I justed tested with Python 3.6 and it works here, however, I have found that the interaction between Python, libpcap and scapy to be somewhat fragile given what version of...

I've made a few fixes with respect to Python 3. Would you be willing to test? pip3 install --upgrade https://github.com/jasonish/py-idstools/archive/master.zip

Check the size of the pcap. Run it through tcpdump and see if there is anything: "tcpdump -r _filename_". Also make sure your input eve.json file has "packet" and/or "payload"...

You’ll need to enable the payload option in your Suricata config. Looks like you have payload_printable enabled which eve2pcap doesn’t handle. Converting it to pcap wouldn’t provide any extra value...

I wrote this tool more for Suricata than Snort, and Suricata does not accept such a rule. I'm a little hesitant to make this change as I don't use this...

Added help wanted label as I won't add this feature myself, but will review it if someone wants to contribute the change.

Have you tried loading an ebpf program while Suricata is running inside the container?