From d111f7aedafe30222d903a244b81ea49e062ff08 Mon Sep 17 00:00:00 2001
From: MDLeom <2809763-curben@users.noreply.gitlab.com>
Date: Sat, 24 May 2025 23:23:41 +0000
Subject: [PATCH] fix(ids): close stream when no longer used

---
 README.md  | 1 -
 src/ids.js | 3 ++-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 14bf7281..5df682d8 100644
--- a/README.md
+++ b/README.md
@@ -202,7 +202,6 @@ rule-files:
 
 This ruleset includes online domains only. It enables Suricata to detect malicious HTTPS-enabled domains by inspecting the SNI in the [unencrypted ClientHello](https://en.wikipedia.org/wiki/Server_Name_Indication#Security_implications) message. There is increasing support for encrypted Client Hello which defeats SNI inspection.
 
-
 ## Splunk
 
 A CSV file for Splunk [lookup](https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Aboutlookupsandfieldactions).
diff --git a/src/ids.js b/src/ids.js
index ba566e1b..58c08d29 100644
--- a/src/ids.js
+++ b/src/ids.js
@@ -39,6 +39,8 @@ for await (const domain of domains.readLines()) {
   sid++
 }
 
+suricataSni.close()
+
 for await (const line of urls.readLines()) {
   if (!URL.canParse(`http://${line}`)) {
     console.error(`Invalid URL: ${line}`)
@@ -61,5 +63,4 @@ for await (const line of urls.readLines()) {
 snort2.close()
 snort3.close()
 suricata.close()
-suricataSni.close()
 splunk.close()