0x00 来源

解压自snortrules-snapshot-2975.tar.gz，来自于<解压目录>/etc/
　　　classification.config
　　　reference.config
　　　sid-msg.map
　　　snort.conf
　　　threshold.conf
　　　unicode.map
将这些.conf和.map文件放在/etc/snort 目录下，具体的请看 CentOS6.6下基于snort+barnyard2+base的入侵检测系统的搭建

0x01 文件内容

reference文件一共就这几行。

# $Id: reference.config,v 1.6 2012/01/06 15:27:28 hcao Exp $
# The following defines URLs for the references found in the rules
#
# config reference: system URL

config reference: bugtraq   http://www.securityfocus.com/bid/ 
config reference: cve       http://cve.mitre.org/cgi-bin/cvename.cgi?name=
config reference: arachNIDS http://www.whitehats.com/info/IDS
config reference: osvdb     http://osvdb.org/show/osvdb/

# Note, this one needs a suffix as well.... lets add that in a bit.
config reference: McAfee    http://vil.nai.com/vil/content/v_
config reference: nessus    http://cgi.nessus.org/plugins/dump.php3?id=
config reference: url       http://
config reference: msb       http://technet.microsoft.com/en-us/security/bulletin/

我们可以看到这都是一些安全网站，漏洞平台的网址，或者是自己可以自定义的url。

0x02 修饰符

reference修饰符，字面意思就是“参考”，我觉得没多大作用，就是联系外部的恶意攻击检测网站中关于此类攻击的页面。
举个例子。

alert tcp any any -> any 21 (msg:"IDS287/ftp-wuftp260-venglin-linux"; flags:AP; content:"|31c031db 31c9b046 cd80 31c031db|"; reference:arachnids,IDS287; reference:bugtraq,1387; reference:cve,CAN-2000-1574;)

上面定义了三个reference，拿一个来讲，reference:cve,CAN-2000-1574。
我们从reference.config文件中看到关于cve网站的定义
config reference: cve http://cve.mitre.org/cgi-bin/cvename.cgi?name=
这里就相当于构造了这么一个url
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2000-1574

把name后面的具体的ID号给填写上了，形成如下图这种效果：

reference

点击一下，就会跳到对应的网站这个漏洞的页面上去了。

0x03 数据库

与reference有关系的有三个表，

mysql> desc reference_system;
+-----------------+------------------+------+-----+---------+----------------+
| Field           | Type             | Null | Key | Default | Extra          |
+-----------------+------------------+------+-----+---------+----------------+
| ref_system_id   | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| ref_system_name | varchar(20)      | YES  |     | NULL    |                |
+-----------------+------------------+------+-----+---------+----------------+
2 rows in set (0.00 sec)

mysql> desc reference
    -> ;
+---------------+------------------+------+-----+---------+----------------+
| Field         | Type             | Null | Key | Default | Extra          |
+---------------+------------------+------+-----+---------+----------------+
| ref_id        | int(10) unsigned | NO   | PRI | NULL    | auto_increment |
| ref_system_id | int(10) unsigned | NO   |     | NULL    |                |
| ref_tag       | text             | NO   |     | NULL    |                |
+---------------+------------------+------+-----+---------+----------------+
3 rows in set (0.01 sec)

mysql> desc sig_reference;
+---------+------------------+------+-----+---------+-------+
| Field   | Type             | Null | Key | Default | Extra |
+---------+------------------+------+-----+---------+-------+
| sig_id  | int(10) unsigned | NO   | PRI | NULL    |       |
| ref_seq | int(10) unsigned | NO   | PRI | NULL    |       |
| ref_id  | int(10) unsigned | NO   |     | NULL    |       |
+---------+------------------+------+-----+---------+-------+
3 rows in set (0.00 sec)

未完待续，但是感觉这部分和入侵检测关系不大。