Hello! I have a novice question.
I have PfSense running and Suricata enabled. However, I have added/configured VLANs and was wondering if I need to have Suricata running on the physical interface as well as the VLAN interface or just on the physical interface?
Thanks for you time!
Neither, you run it on the pfsense interfaces. Really you only need to run it on WAN but you can run it on other interfaces too if you really want to.
+1
You will probably get a lot of false positives if you run it on anything other than WAN.
Also, don’t forget to set a file size limit for the log file, or it will fill your system.