snort, openvpn, pass VPN IP

digidax

Hi there,

I'm using snort in pfsense. Sometimes, when I connect from outside by OVPN, snort blocks my IP address.
Pass List ist activated and "Add VPN Addresses to the list" is Checked.

Is there a way to add (whitelist an IP) by script? So I would use a telegram gateway where I post to the bot my remote IP with a passphrase and then would insert this IP in the firewall, for bypassing snort.

Thanks for any hints,
Frank

bmeeks

No, there is no facility within the package to accomplish what you describe.

Perhaps you need to investigate which particular Snort rule is blocking your access and re-evaluate having that rule deployed. Maybe it should be disabled.

To be perfectly honest, the usefulness of packages such as Snort and Suricata has been greatly diminished by the rise of encryption for almost all network traffic. Web traffic, email traffic, and even lots of DNS traffic is encrypted these days. That means Snort is not able to scan that traffic at all. If it cannot scan the packet payload, it cannot offer too much in the way of protection. All it can do in the case of encrypted traffic is check the source and destination IP addresses and ports, and possibly see and analyze some SNI data in the traffic that contains it. And even the SNI analysis is going to come to a swift end as more traffic moves to the new encrypted SNI standard.

digidax

@bmeeks
Thanks, you're right. Will check out which rule is blocking VPN.