Any way to have snort automatically allow traffic from Private Internet Access ?
I would say once a day, snort automatically blocks PIA with the UDP traffic rule 123:8 (spp_frag3) Fragmentation overlap. I keep having to allow an IP address so the VPN traffic starts back up. My fear is that they have an unending IP range, and I will have to do this all the time.
So my question is - Is there a way to allow traffic from "choopa" (DNS lookup comes back with that) so I don't continually have to unblock IPs from my VPN? I guess disabling that rule would work, but is that wise?
I haven't used snort but what you basically want to do is either disable the role causing the false positive, or allow traffic on port 1194 (OpenVPNport).
You will have to disable the rule if you can't pin down the IP range. There is no capability for dynamic DNS lookup with either Snort or Suricata. So you can't use a DNS name in a passlist alias. This is due to the enormous overhead DNS lookups would add to packet processing. The thread would hang waiting for the DNS lookup to complete.