metadata option adds additional and arbitrary information to a rule in the form of key-value pairs. There are a few keys that have special meanings to Snort and Snort products (such as
policy), but generally speaking this option is free-form and can contain arbitrary keys and values.
Key-value pairs set in this option are separated by spaces, and rule writers can also include multiple key-value pairs in this option by separating them with commas. It's important to note that a key's value can have spaces in it, but it's that first space that separates the key from the value.
Note: Service declarations were made in the
metadataoption in Snort 2, but Snort 3 has moved these declarations to an entirely new keyword,
metadata:key value[, key value]…;
metadata:policy max-detect-ips drop;
metadata:policy max-detect-ips drop, policy security-ips drop;