[Snort-users] negation of appid keyword

greg.mcnathansonsnuf003 at ...16876... greg.mcnathansonsnuf003 at ...16876...
Wed Dec 3 15:47:03 EST 2014

I tried several options:
"appid: !http"
no error message, but also not the desired outcome. Maybe that rule fires only in case of an app identifier that matches "!http"
"appid: ! http"
no error messages, but also not the desired outcome. This rule fires always no matter what app is involved.
"!appid: http"
error message

Unknown rule option: '!appid'.
"![appid: http]"
error message
Unknown rule option: '![appid'.

Any ideas what I forgot?


Gesendet: Mittwoch, 03. Dezember 2014 um 17:41 Uhr
Von: "Joel Esler (jesler)" <jesler at ...589...>
An: "greg.mcnathansonsnuf003 at ...16876..." <greg.mcnathansonsnuf003 at ...979...16876...>
Cc: "snort users" <snort-users at lists.sourceforge.net>
Betreff: Re: [Snort-users] negation of appid keyword

I haven’t tried this, but did you try “appid: !firefox”; 
Joel Esler
Open Source Manager
Threat Intelligence Team Lead

On Dec 3, 2014, at 8:14 AM, greg.mcnathansonsnuf003 at ...16876... wrote: 
Hello to all snort experts,

I'm wondering if one can create a rule using a negated appid specification.

For example: Block non http traffic over known http ports

block tcp any any -> any $HTTP_PORTS (msg:”openappid: non http activity detected over http port”; !appid: http; sid:1000000; rev:1;)

or block any traffic except of a specific app:

block tcp any any -> any any (msg:”openappid: non firefox traffic detected”; !appid: firefox; sid:1000000; rev:1;)

Unfortunately this will result in an error message:

FATAL ERROR: /etc/snort/rules/custom.rules(1) Unknown rule option: '!appid'.

Any help would be appreciated.

More information about the Snort-users mailing list