| Keyword | Description |
| logto |
The logto keyword tells Snort to log all packets that trigger this rule to a special output log file. |
| session |
The session keyword is built to extract user data from TCP Sessions. |
| resp |
The resp keyword is used attempt to close sessions when an alert is triggered. |
| react |
This keyword implements an ability for users to react to traffic that matches a Snort rule by closing connection and sending a notice. |
| tag |
The tag keyword allow rules to log more than just the single packet that triggered the rule. |
| activates |
This keyword allows the rule writer to specify a rule to add when a specific network event occurs. |
| activated_by |
This keyword allows the rule writer to dynamically enable a rule when a specific activate rule is triggered. |
| count |
This keyword must be used in combination with the activated_by keyword. It allows the rule writer to specify how many packets to leave the rule enabled for after it is activated. |
| replace |
Replace the prior matching content with the given string of the same length. Available in inline mode only. |
| detection_filter |
Track by source or destination IP address and if the rule otherwise matches more than the configured rate it will fire. |