Suricata

Currently the only supported response is "reject", and it is implemented as a separate thread module.

• Does not send response to appropriate device if Suricata is configured as an in-line IPS
• Run-modes which do not use device names are not supported (e.g., DPDK)
• Adding new kinds of responses require a new thread module, potentially introducing a performance hit
• Thread modules do not have immediate access to flow, decode, and detection results

I propose a solution which would add a modular response API invoked from "FlowWorker" and provides a run-mode specific means to send responses. This solution will facilitate the future contribution of a redirect action (HTTP, DNS). A PR will be submitted soon if there is interest in this functionality.