drop suricata eve.json · parse alerts + flow + protocol metadata · runs locally
eve.json/jsonl · alerts · flow · local only
heuristic screener · vendor schema varies · not definitive proof