Block the activity not the entire IP from LAN

[gilberto.ferreira41]

Hi there.

I already have CrowdSec and Suricata working fine.
I have some rules to block some activity from external access.
And I have created some rules to block malicious activity from inside to outside.
But at this time, suricata and crowdsec are blocking the LAN IP, even when this IP are allowed only to communicate with others internal IPs.
And yes... This is what suppose to happen.
So my question is: in opnsense, there is some way to block malicious activity but not blacklist some internal IP address?
I mean, like via signature or something like that?
For instance, if some one make a nmap <EXTERNAL_IP> the crowdsec/suricata or whatever other tool, will block that kind of activity but not blocklist the IP!

I hope I could make myself clear enough.

Thank you for any help.