running ids rules on tracee-ebpf

[Ofekitach]

I was wondering, if you can run tracee-rules on certain events, why not running ids rules (like:snort, zeek...) on accept\connect\bind events.
example of rules set:
https://rules.emergingthreats.net/open/suricata/rules/

[yanivagman]

Indeed it is possible to write IDS rules similar to the those you pointed to, but one would have to convert them to either go or rego first, and use the matching tracee-ebpf events to write those rules.
Contribution of rules to tracee-rules is more than welcome!