Metadata keywords have no immediate effect on rule matching. However, they affect reporting when a rule matches.
msg contains textual information about the signature and the possible alert.
The format of msg is:
msg: "some description";
msg:"ATTACK-RESPONSES 403 Forbidden"; msg:"ET EXPLOIT SMB-DS DCERPC PnP bind attempt";
The following characters must be escaped inside the msg:
sid (signature ID) assigns an ID to every signature.
This ID is given with a number. The format of
rev represents the version of the signature. Each time a signature is updated,
rev ought to be incremented.
Its format is:
classtype keyword provides information on the classification of
rules and alerts. It consists of a short name which can be translated as a
priority for reporting purposes.
This example reports a hit of class “trojan-activity”:
drop tcp any any -> any any (msg:"classtype example"; content:"placeholder"; \ classtype:trojan-activity; sid:1; rev:1;)
It is a convention that
classtype comes before
rev and after
the rest of the keywords.
reference keyword provides additional information on the purpose of the rule
and the attack it detects.
reference can appear multiple times in a signature.
This keyword is meant for signature writers and analysts who
investigate why a signature has matched. It has the following format:
reference: type, reference
For example, a typical reference to www.genua.de would be:
reference: url, www.genua.de
In addition, there are also several systems that can be used as a reference. A commonly known example is the CVE-database that assigns numbers to vulnerabilities. You can refer to it as follows, for example:
reference: cve, CVE-2014-1234
This creates a reference to http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1234.
cognitix Threat Defender does not support this keyword.
metadata keyword, additional, non-functional information can
be added to the signature.
The format is:
metadata: key value; metadata: key value, key value;
metadata keyword is often used to code the signature creation
created_at and last update timestamp
metadata:created_at 2010_09_23, updated_at 2010_09_23;