There is a great demonstration of the Wireshark plugin and the IDSUtil here.
Once everything is installed and configured all that is required is to update the rules and then run the ids-pcap command with the packet capture:
ids-rules ./snort/default --listOnce the pcap has been read by Snort or Suricata the alerts are available in Wireshark when the same pcap is opened.
ids-pcap ./snort/default vrouter2.pcap
Where there are more than one alert for a packet each alert is shown. Setting a display filter of just 'alert' displays all those packets that have one or more alerts associated with them. I have set my display preferences to only use a single word for columns in Wireshark to make it easier to export packets as CSV.
It's easy to export the displayed packets by selecting 'Export Packet Dissections' from the file menu in Wireshark.
Leaving 'Displayed' selected provide a filename and click OK to save the file.
As in my previous post I can use Log Parser Lizard to process the output to make a Treemap of the IDS alerts.
The query allows me to convert the priority to highest value where there are multiple alerts for a single packet and it also inverts the priority so that a bigger number is a higher priority so that it displays larger blocks for higher priorities, otherwise '1' would be the highest priority but the smallest block size.
Export the file from Log Parser Lizard as TSV and use Notepad++ to edit the headers and add the data types for Treemap.
Then save as .tm3 extension and load the file into Treemap.