Suricata

In some deployment models, like in the AWS mirror feature, every packet will come with some encapsulation like VXLAN. Suricata will decode the original packet, and then for the encapsulated packet create a secondary Packet internally, and both will go through the pipelines. This model makes sense in some scenarios, but not in all. Sometimes the encapsulation is just an infrastructure artifact that isn't relevant for Suricata.

For such cases we could consider a model where the encapsulated packet "overwrites" the original packet as to be the only packet flowing through the pipeline.

Some considerations about what it might affect:
- IPS needs to still forward the original packet
- Reject may need the original packet