Metadata Keywords

Metadata keywords have no immediate effect on rule matching. However, they affect reporting when a rule matches.


The keyword msg contains textual information about the signature and the possible alert.

The format of msg is:

msg: "some description";


msg:"ATTACK-RESPONSES 403 Forbidden";
msg:"ET EXPLOIT SMB-DS DCERPC PnP bind attempt";


The following characters must be escaped inside the msg: ; \ "


The keyword sid (signature ID) assigns an ID to every signature. This ID is given with a number. The format of sid is:



rev represents the version of the signature. Each time a signature is updated, rev ought to be incremented. Its format is:



The classtype keyword provides information on the classification of rules and alerts. It consists of a short name which can be translated as a priority for reporting purposes.

This example reports a hit of class “trojan-activity”:

drop tcp any any -> any any (msg:"classtype example"; content:"placeholder"; \
classtype:trojan-activity; sid:1; rev:1;)


It is a convention that classtype comes before sid and rev and after the rest of the keywords.


The reference keyword provides additional information on the purpose of the rule and the attack it detects. reference can appear multiple times in a signature. This keyword is meant for signature writers and analysts who investigate why a signature has matched. It has the following format:

reference: type, reference

For example, a typical reference to would be:

reference: url,

In addition, there are also several systems that can be used as a reference. A commonly known example is the CVE-database that assigns numbers to vulnerabilities. You can refer to it as follows, for example:

reference: cve, CVE-2014-1234

This creates a reference to



cognitix Threat Defender does not support this keyword.


With the metadata keyword, additional, non-functional information can be added to the signature. The format is:

metadata: key value;
metadata: key value, key value;

The metadata keyword is often used to code the signature creation created_at and last update timestamp updated_at.


metadata:created_at 2010_09_23, updated_at 2010_09_23;