reference rule option provides additional context to rules in the form of links to relevant attack identification systems.
This option takes in two arguments separated by commas. The first argument is the
scheme, which is the attack identification system being referenced, and the second argument is the
id, which is the specific identifier within that system.
There are a few
scheme types known to Snort by default, but the two most common ones used are
For example, consider the CVE identification system, which identifies a software vulnerability via a CVE record that is formatted like "CVE-XXXX-YYYY", where "XXXX" is the year the vulnerability was identified and "YYYY" is a unique numeric identifier. Snort rule writers can put references to CVE records in rules with a
reference option that has
scheme set to
cve and the
id set to the "XXXX-YYYY" portion of the record. For example,
reference:cve,2020-1234 puts in the rule a reference to