Suricata

Some tools make a distinction between a 'user mode' and a 'system mode'. Perhaps something similar would make sense here. The regular IDS/IPS modes would count as 'system modes' where the default log location (e.g. /var/log/suricata) makes sense. A user processing a pcap file would count as a 'user mode' where the output should probably go to another location. Perhaps there it would make sense to write output to the CWD (iirc Bro does this).

I like what Victor is suggesting. Perhaps for pcaps the default log directory should be "." regardless of whats in the config file. Even if running as root, you wouldn't want to clobber the default log directory if Suricata is running as a daemon.

I more often than not do something like "-l ." or "-l ./log" when using pcaps.

I also think a distinction between 'user mode' and 'system mode' would make sense.

But this opens a new question: How fundamental should that distinction be and how exactly should it manifest?
Like:

• Would it make sense to have a own user interface (like a wrapper script) with a own manpage for the 'user mode' usage
  (This could add/consolidate more 'user mode like' features into this script, and give nicer usability)

• Would it make sense to have a own (small) chapter in the user guide for "user mode usage" of suricata.

We could simply make it part of the 'runmodes' logic (e.g. see ./src/suricata --list-runmodes). A runmode could register if it is a system mode or a user mode.

Maybe just a --daemon or --server option?

Uses /var/log, enables unix socket, turns on capture, etc. Config would still take priority, but if not set, has default behavior. Thinking a flag like that would be useful for things like state serialization and log rolling, without needing them specified.