The metadata Keyword

You can use the metadata keyword to add your own descriptive information to a rule. You can also use the metadata keyword with service arguments to identify applications and ports in network traffic. You can use the information you add to organize or identify rules in ways that suit your needs, and you can search rules for information you add and for service arguments.

The system validates metadata based on the argument format:

key value

where key and value provide a combined description separated by a space. This is the format used by the Talos Intelligence Group for adding metadata to rules provided by Cisco.

Alternatively, you can also use the format:

key = value

For example, you could use the key value format to identify rules by author and date, using a category and sub-category as follows: 


author SnortGuru_20050406

You can use multiple metadata keywords in a rule. You can also use commas to separate multiple key value arguments in a single metadata keyword, as seen in the following example: 

author SnortGuru_20050406, revised_by SnortUser1_20050707,
revised_by SnortUser2_20061003, 
revised_by SnortUser1_20070123

You are not limited to using a key value or key =value format; however, you should be aware of limitations resulting from validation based on these formats.

Restricted Characters to Avoid

Note the following character restrictions:

  • Do not use a semicolon (;) or colon (:).

  • The system interprets a comma as a separator for multiple key value or key =value arguments. For example:

    key value ,key value ,key value

  • The system interprets the equal to (=) character or space character as separators between key and value . For example:

    key value

    key =value

All other characters are permitted.

Reserved Metadata to Avoid

Avoid using the following words in a metadata keyword, either as a single argument or as the key in a key value argument; these are reserved for use by Talos: 


application
engine
impact_flag
os
policy
rule-type
rule-flushing
soid
Note

Contact Support for assistance in adding restricted metadata to local rules that might not otherwise function as expected.

Impact Level 1

You can use the following reserved key value argument in a metadata keyword: 


impact_flag red

This key value argument sets the impact flag to red (level 1) for a local rule you import or a custom rule you create using the intrusion rules editor.

Note that when Talos includes the impact_flag red argument in a rule provided by Cisco, Talos has determined that a packet triggering the rule indicates that the source or destination host is potentially compromised by a virus, trojan, or other piece of malicious software.