drop suricata rule set + eve.json · score detection coverage gaps · runs locally
rules + eve.json · sid coverage · local only
heuristic screener · vendor schema varies · not definitive proof