[Snort-users] negation of appid keyword

greg.mcnathansonsnuf003 at ...16876... greg.mcnathansonsnuf003 at ...16876...
Wed Dec 3 15:47:03 EST 2014



I tried several options:
 
"appid: !http"
 
no error message, but also not the desired outcome. Maybe that rule fires only in case of an app identifier that matches "!http"
 
"appid: ! http"
 
no error messages, but also not the desired outcome. This rule fires always no matter what app is involved.
 
"!appid: http"
 
error message

Unknown rule option: '!appid'.
 
"![appid: http]"
 
error message
Unknown rule option: '![appid'.
 

Any ideas what I forgot?


Greg
 
 

Gesendet: Mittwoch, 03. Dezember 2014 um 17:41 Uhr
Von: "Joel Esler (jesler)" <jesler at ...589...>
An: "greg.mcnathansonsnuf003 at ...16876..." <greg.mcnathansonsnuf003 at ...979...16876...>
Cc: "snort users" <snort-users at lists.sourceforge.net>
Betreff: Re: [Snort-users] negation of appid keyword

I haven’t tried this, but did you try “appid: !firefox”; 
 
 
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos
 

On Dec 3, 2014, at 8:14 AM, greg.mcnathansonsnuf003 at ...16876... wrote: 
Hello to all snort experts,

I'm wondering if one can create a rule using a negated appid specification.

For example: Block non http traffic over known http ports

block tcp any any -> any $HTTP_PORTS (msg:”openappid: non http activity detected over http port”; !appid: http; sid:1000000; rev:1;)


or block any traffic except of a specific app:

block tcp any any -> any any (msg:”openappid: non firefox traffic detected”; !appid: firefox; sid:1000000; rev:1;)


Unfortunately this will result in an error message:

FATAL ERROR: /etc/snort/rules/custom.rules(1) Unknown rule option: '!appid'.


Any help would be appreciated.




More information about the Snort-users mailing list