Anyone know how to use the content:! rule and replace in snort_inline?

["John Smith" <genericjohnsmith () gmail com>]

OK, so maybe I don't get how the content:!"something" rule is supposed
to work when used with replace in snort_inline. What I want to do is
replace the contents of any ping packet which does not match the
default linux ping. The default linux ping has the timestamps in it's
payload and then a fixed string (hex) 08 09 0a 0b ...35. I only have
defualt ping packets to work with right now, but the ideas are simply
illustrated:
This works:
pass icmp any any <> any any (content:"|08 09 0a...|"; replace:"000...";)

and replaces the fixed string...so shouldn't I be able to do something like:
pass icmp any any <> any any (content:!"|ff ff ff...|"; replace:"000...";)

and then it will see that the content is NOT ff ff ff (it's 08 09 0a)
and replace it the same way it did with the first rule? Of course this
didn't work so I would appreciate it if someone could tell me where
I'm going wrong.

Is it even possible to check if content is NOT some known good pattern
and then replace anything except that?

I wanted to do a demo which showed that snort_inline could handle
stupid covert channels by doing packet rewriting, but it doesn't even
seem capable of this small feature...anyone know how to overwrite
anything EXCEPT known good content?

Much Thanks!

John