@bmorgenthaler I know this is an old thread but could also please share the contents of the lookup files? LOOKUP-estreamer_file_action = file_actions file_action OUTPUT action
LOOKUP-estreamer_fw_action = fw_actions fw_rule_action OUTPUT action
LOOKUP-estreamer_severities = severities impact,priority OUTPUT severity
LOOKUP-estreamer_sources = sources source OUTPUT vendor, product, ids_type
LOOKUP-estreamer_transport = ip_protos ip_proto OUTPUT transport
... View more