Suricata newbie question: pfSense address in alerts/blocks
-
Sorry for the dumb newbie question, but doing searches didn't turn up anything.
As I try and sort out what client (and hence, software) triggered an alert in Suricata, I'm being thwarted by the fact that it's the pfSense gateway IP that's always listed as the src/dst on the Alerts list, not the IP of the client on my internal LAN. Surely I must have something not set up correctly, because the alert log is very hard to make efficient use of like this.
On a side note: is there a way to get a filter on the alert list to persist over refreshes?
-
Sounds like you have Suricata on WAN, which is before the NAT happens. If you move it to LAN, then 1) you'll see the internal IPs, and 2) it should scan less traffic as it will only see packets making it through the firewall.