Metadata Search Guidelines

To search for rules that use the metadata keyword, select the metadata keyword on the rules Search page and, optionally, type any portion of the metadata. For example, you can type:

search to display all rules where you have used search for key .
search http to display all rules where you have used search for key and http for value .
author snortguru to display all rules where you have used author for key and SnortGuru for value .

author s to display all rules where you have used author for key and any terms such as SnortGuru or SnortUser1 or SnortUser2 for value .

Tip	When you search for both `key` and `value` , use the same connecting operator (equal to [`=`] or a space character) in searches that is used in the `key value` argument in the rule; searches return different results depending on whether you follow `key` with equal to (`=`) or a space character.

Note that regardless of the format you use to add metadata, the system interprets your metadata search term as all or part of a key value or key =value argument. For example, the following would be valid metadata that does not follow a key value or key =value format:


ab cd ef gh

However, the system would interpret each space in the example as a separator between a key and value . Thus, you could successfully locate a rule containing the example metadata using any of the following searches for juxtaposed and single terms:


cd ef
ef gh
ef

but you would not locate the rule using the following search, which the system would interpret as a single key value argument:


ab ef