Creating reliable and performant detection logic for Suricata and Snort is the primary focus of the Emerging Threats team however, we are frequently looking to improve several other aspects of our rules on a day-to-day basis. One of these aspects is the metadata of our rules which can be incredibly insightful to those utilizing our rulesets in many various ways. More specifically, this post focuses on metadata from an exploit signature perspective, how metadata can be utilized to extract information regarding exploit signatures, and the changes we are making to this metadata on an ongoing basis.

Recently, I was speaking to Forgotten and a couple of others regarding the information and guidance available for truly understanding Snort/Suricata signatures. While documentation and the odd blog post does exist, the more advanced features and lack of context for signatures can become overwhelming rather quickly without guidance. This post aims to dissect Suricata signatures of various difficulties with explanation of how the signature works.