Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Suricata newbie question: pfSense address in alerts/blocks

    Scheduled Pinned Locked Moved IDS/IPS
    2 Posts 2 Posters 253 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sremick
      last edited by

      Sorry for the dumb newbie question, but doing searches didn't turn up anything.

      As I try and sort out what client (and hence, software) triggered an alert in Suricata, I'm being thwarted by the fact that it's the pfSense gateway IP that's always listed as the src/dst on the Alerts list, not the IP of the client on my internal LAN. Surely I must have something not set up correctly, because the alert log is very hard to make efficient use of like this.

      On a side note: is there a way to get a filter on the alert list to persist over refreshes?

      1 Reply Last reply Reply Quote 0
      • S
        SteveITS Galactic Empire
        last edited by

        Sounds like you have Suricata on WAN, which is before the NAT happens. If you move it to LAN, then 1) you'll see the internal IPs, and 2) it should scan less traffic as it will only see packets making it through the firewall.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.