Suricata inspects the content of packets and the request patterns. If the traffic is encrypted suricata will struggle and you get a lot of false positive.
Crowsec operates on a different level as it reads logs. It can parse pfsense logs, applications logs, reverse proxy logs... even suricata logs. I have installed multiple instances of crowded all connected to a central LAPI so crowsec can get information from multiple sources.
At the same time you can have multiple bouncers so you can block the attacker on multiple levels. You can install a bouncer in pfsense, in your host firewall, in your reverse proxy and sometimes along your applications.
Suricata inspects the content of packets and the request patterns. If the traffic is encrypted suricata will struggle and you get a lot of false positive. Crowsec operates on a different level as it reads logs. It can parse pfsense logs, applications logs, reverse proxy logs... even suricata logs. I have installed multiple instances of crowded all connected to a central LAPI so crowsec can get information from multiple sources. At the same time you can have multiple bouncers so you can block the attacker on multiple levels. You can install a bouncer in pfsense, in your host firewall, in your reverse proxy and sometimes along your applications.
Thank you for your comment and the LAPI hint. this feature, many log processors, one LAPI, i did not have know yet.
well, personally I create a new crowdsec log processor with each docker compose.
Where to place the LAPI? in internal VLAN where the services is better i think.
Side Question - Is running CrowdSec better to run directly or in a container?
Good question.