Malcolm and Suricata alert IP association issue

[H-Dynamite]

Some of the suricata events collected by Malcolm have issues where the source IP and destination IP are opposite. I feel that the events should be associated with the IP field of the suricata flow

[mmguero]

I'm not quite sure I understand the issue you're describing. If you'd like to examine the eve.json logs that suricata is creating correctly they should be able to be found under the suricata-logs subdirectory in the Malcolm directory. I've never seen suricata logs have the IP addresses reversed compared to what is shown in Zeek, Arkime, or even WireShark.