Understanding Suricata on VPN Client Gateways?


  • Banned

    I have one standard WAN gateway, and also two OpenVPN Client Gateways. I have suricata monitoring traffic on all three gateways.

    On the WAN I get by far the most hits, even though almost all of my network traffic is directed through the VPN gateways.

    On the VPN gateways I do still get hits, and hits that I can correlate to things that are happening on my network, but I get far fewer hits than on the WAN. This confuses me since most of my traffic is going through the VPN Gateways.

    My first thought was that since they are VPN's, not even my suricata can see them. I had originally thought that since suricata was part of the system it would be able to see the packets before they were encrypted. But, if I look at my http logs on the VPN interfaces, I can see all of the http traffic on the VPN gateways, which implies that suricata can in fact see the packets before they are encrypted.

    So why am I generating so few hits on the VPN Gateways? They actually have more rules enabled than WAN.