[Snort-users] negation of appid keyword

Joel Esler (jesler) jesler at ...589...
Wed Dec 3 11:41:20 EST 2014


I haven’t tried this, but did you try “appid: !firefox”; 


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos

> On Dec 3, 2014, at 8:14 AM, greg.mcnathansonsnuf003 at ...16876... wrote:
> 
> Hello to all snort experts,
> 
> I'm wondering if one can create a rule using a negated appid specification.
> 
> For example: Block non http traffic over known http ports
> 
> block tcp any any -> any $HTTP_PORTS (msg:”openappid: non http activity detected over http port”; !appid: http; sid:1000000; rev:1;)
> 
> 
> or block any traffic except of a specific app:
> 
> block tcp any any -> any any (msg:”openappid: non firefox traffic detected”; !appid: firefox; sid:1000000; rev:1;)
> 
> 
> Unfortunately this will result in an error message:
> 
> FATAL ERROR: /etc/snort/rules/custom.rules(1) Unknown rule option: '!appid'.
> 
> 
> Any help would be appreciated.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141203/28005305/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4881 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20141203/28005305/attachment.bin>


More information about the Snort-users mailing list