Generate automatic white-list for Snort
i'm currently running PFSense with Snort and VPN (Cyberghost).
But there is one problem:
Sometimes Snort blocks the IP adress of the current VPN session because of any activity (P2P, Portscan etc. from the remote VPN adress as source).
Consequently, the VPN connection breaks and VPN connects to a new server, so not really stable setup.
Is it possible to generate automatic an IP-whitelist with the remote-IP of the VPN?
The pass list, including VPN doesn't work, it only adds the virtual IP adress of the VPN but not the remote-adress of the VPN.
Do you have any solution or a script, that generates a whiteliste entry with the current VPN remote-adress?
Best regards! :)
I don't use any commercially provided VPN's so I'm not entirely certain where your problem is. However, perhaps terminating your side of the VPN on a new pfSense interface (LAN2/OPT1 whatever) introducing an additional hop may help if you want specific Snort rules (or none) for this interface only.