metadata

The metadata option adds additional and arbitrary information to a rule in the form of key-value pairs. There are a few keys that have special meanings to Snort and Snort products (such as policy), but generally speaking this option is free-form and can contain arbitrary keys and values.

Key-value pairs set in this option are separated by spaces, and rule writers can also include multiple key-value pairs in this option by separating them with commas. It's important to note that a key's value can have spaces in it, but it's that first space that separates the key from the value.

Note: Service declarations were made in the metadata option in Snort 2, but Snort 3 has moved these declarations to an entirely new keyword, service.

Format:

metadata:key value[, key value]…;

Examples:

metadata:policy max-detect-ips drop;
metadata:policy max-detect-ips drop, policy security-ips drop;