Application Detection in Snort 3

Note	Snort 3 is now at parity with Snort 2, with respect to enabling AppID inspection exclusively on particular network subnets that are defined in the Network Discovery policy filters if no other configuration in the AC policy requires AppID to monitor all traffic.

In Snort 3, application detection is always enabled for all networks by default. To disable application detection, do the following:

Procedure

Step 1	Choose Policies > Access Control , click edit policy and delete the application rules.
Step 2	Choose Policies > SSL, click delete to delete the SSL policy.
Step 3	Choose Policies > Network Discovery, click delete to delete the network discovery policy.
Step 4	Choose Policies > Access Control , click Edit () to the policy you want to edit and then click the Security Intelligence > URLs tab to delete the URLs Allow or Block list.
Step 5	As you cannot delete default DNS rules, choose Policies > DNS, click edit and uncheck the enabled box to disable the DNS policy.
Step 6	In the access control policy, under the Advanced settings, disable the Enable Threat Intelligence Director and Enable reputation enforcement on DNS traffic options.
Step 7	Save and deploy the access control policy.