04-rules.txt

alert tls any any -> any any (msg:"MZ: Facebook certificate detected"; tls.subject:"facebook"; sid:770001; rev:1;)
alert tcp any any -> any any (msg:"MZ: DNS Zone Transfer detected"; content:"|00 00 FC|"; sid:770002; rev:1;)
alert dns $HOME_NET any -> any 53 (msg:"MZ: DNS request for .su detected"; dns_query; content:".su"; sid:770003; rev:1;)
alert http any any -> any any (msg:"MZ: User agent Curl detected"; content:"curl"; http_user_agent; sid:770004; rev:1;)
#alert tcp any any -> any any (msg:"testing"; classtype:bad-unknown; sid:990001; rev:1;)

suricata --list-keywords | grep tls
cat eve.json | jq 'select(.app_proto=="dns")'
https://suricata.readthedocs.io/en/suricata-4.0.5/output/eve/eve-json-examplesjq.html

sudo tcpdump -i eth0 -w /vagrant/data/test.pcap
curl -s https://www.facebook.lv
curl test.su
tcprewrite -C -i /vagrant/data/test.pcap -o /vagrant/data/test-out.pcap