Rule Actions

The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 available default actions in Snort, alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.

1. alert - generate an alert using the selected alert method, and then log the packet

2. log - log the packet

3. pass - ignore the packet

4. activate - alert and then turn on another dynamic rule

5. dynamic - remain idle until activated by an activate rule , then act as a log rule

6. drop - block and log the packet

7. reject - block the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.

8. sdrop - block the packet but do not log it.

You can also define your own rule types and associate one or more output plugins with them. You can then use the rule types as actions in Snort rules.

This example will create a type that will log to just tcpdump:

    ruletype suspicious
    {
        type log 
        output log_tcpdump: suspicious.log
    }

This example will create a rule type that will log to syslog and tcpdump: database:

    ruletype redalert
    {
          type alert 
          output alert_syslog: LOG_AUTH LOG_ALERT 
          output log_tcpdump: suspicious.log
    }