brimdata/suricata@b4d6ca7 (allows passing "-" to suricata to indicate "read from stdin") seems generally useful. We should submit it as a PR for consideration to upstream.

@henridf submitted this as OISF/suricata#5968. I'm going to go ahead and close this issue because we've got our own working Suricata fork and hence this is not blocking us. I'm "subscribed" to OISF/suricata#5968 so I'll get a heads-up if/when it becomes accepted and available in a newer GA release we could consider moving to.

Thanks @henridf, wherever you are! 😄