Application Detection in Snort 2 and Snort 3

In Snort 2, you can enable or disable application detection through the constraints in the access control policies and through network filters in the network discovery policies. However, the constraints in access control policy can override the network filters and enable application detection. For example, if you have defined network filters in network discovery policy and when the access control policy has constraints such as SSL, URL SI, DNS SI, and so on, that requires application detection, then these network discovery filters are overridden and all networks are monitored for application detection. This Snort 2 functionality is not supported in Snort 3.

Note
Snort 3 is now at parity with Snort 2, with respect to enabling AppID inspection exclusively on particular network subnets that are defined in the Network Discovery policy filters if no other configuration in the AC policy requires AppID to monitor all traffic.

In Snort 3, application detection is always enabled for all networks by default. To disable application detection, do the following:

Procedure

Step 1

Choose Policies > Access Control , click edit policy and delete the application rules.

Step 2

Choose Policies > SSL, click delete to delete the SSL policy.

Step 3

Choose Policies > Network Discovery, click delete to delete the network discovery policy.

Step 4

Choose Policies > Access Control , click Edit (edit icon) to the policy you want to edit and then click the Security Intelligence > URLs tab to delete the URLs Allow or Block list.

Step 5

As you cannot delete default DNS rules, choose Policies > DNS, click edit and uncheck the enabled box to disable the DNS policy.

Step 6

In the access control policy, under the Advanced settings, disable the Enable Threat Intelligence Director and Enable reputation enforcement on DNS traffic options.

Step 7

Save and deploy the access control policy.