The appid Keyword
You can use the
appid keyword to identify the application protocol,
client application, or web application in a packet. For example, you could
target a specific application that you know is susceptible to a specific
vulnerability.
Within the
appid keyword of an intrusion rule, click
Configure
AppID to select one or more applications that you want to detect.
Browsing the Available Applications
When you first start to build the condition, the Available Applications list is unconstrained and displays every application the system detects, 100 per page:
-
To page through the applications, click the arrows underneath the list.
-
To display a pop-up window with summary information about the application’s characteristics, as well as Internet search links that you can follow, click Information (
) next to an application.
Using Application Filters
To help you find the applications you want to match, you can constrain the Available Applications list in the following ways:
-
To search for applications, click the Search by name prompt above the list, then type a name. The list updates as you type to display matching applications.
-
To constrain the applications by applying a filter, use the Application Filters list. The Available Applications list updates as you apply filters. For your convenience, the system uses an Unlock icon to mark applications that the system can identify only in decrypted traffic—not encrypted or unencrypted.
Note | If you select one or more filters in the Application Filters list and also search the Available Applications list, your selections and the search-filtered Available Applications list are combined using an AND operation. |
Selecting Applications
To select a single application, select it and click Add to Rule. To select all applications in the current constrained view, right-click and select Select All.