[Snort-users] negation of appid keyword

greg.mcnathansonsnuf003 at ...16876... greg.mcnathansonsnuf003 at ...16876...
Wed Dec 3 08:14:38 EST 2014

Hello to all snort experts,

I'm wondering if one can create a rule using a negated appid specification.

For example: Block non http traffic over known http ports

block tcp any any -> any $HTTP_PORTS (msg:”openappid: non http activity detected over http port”; !appid: http; sid:1000000; rev:1;)

or block any traffic except of a specific app:

block tcp any any -> any any (msg:”openappid: non firefox traffic detected”; !appid: firefox; sid:1000000; rev:1;)

Unfortunately this will result in an error message:

FATAL ERROR: /etc/snort/rules/custom.rules(1) Unknown rule option: '!appid'.

Any help would be appreciated.


More information about the Snort-users mailing list