The reference rule option provides additional context to rules in the form of links to relevant attack identification systems.

This option takes in two arguments separated by commas. The first argument is the scheme, which is the attack identification system being referenced, and the second argument is the id, which is the specific identifier within that system.

There are a few scheme types known to Snort by default, but the two most common ones used are cve and url.

For example, consider the CVE identification system, which identifies a software vulnerability via a CVE record that is formatted like "CVE-XXXX-YYYY", where "XXXX" is the year the vulnerability was identified and "YYYY" is a unique numeric identifier. Snort rule writers can put references to CVE records in rules with a reference option that has scheme set to cve and the id set to the "XXXX-YYYY" portion of the record. For example, reference:cve,2020-1234 puts in the rule a reference to CVE-2020-1234.