[Snort-users] Rules-metadata option

Alex Adamos alexthakidadam at ...125...
Mon Oct 1 12:31:23 EDT 2012

what is exactly the metadata option at the preprocessor rules? for example, 

alert ( msg: "FRAG3_IPOPTIONS"; sid: 1; gid: 123; rev: 1; metadata: rule-type preproc ; classtype:protocol-command-decode; )

when does this rule get fired? the pattern matcher will match what exactly??? i mean that this rule

# alert tcp $ any any -> any any (msg:"bla"; content:"!@|23|"; sid:1; rev:9;)

gets fired when there is a content "!@|23|", but what about the preproc rule??
