Feature #3295
Updated by Victor Julien over 4 years ago
The idea here is that in some cases it might be possible to pass the shunting info to another part of the network where the decision could be made to not send packets to Suricata for that flow. This would be very efficient from Suricata's point of view.
The request at suricon 2019 was a way to push these events to unix socket somehow.
Maybe the easiest way would be to create a new output for it, than could then log to file, redis, unix socket, etc. Perhaps even a eve event_type? Eve is multi-instance so it would be possible to have an dedicated eve to just push this new record type to unix socket, while having a separate eve for normal operations.