Rule actions tell Snort how to handle matching packets. There are five basic actions:
alert-> generate an alert on the current packet
block-> block the current packet and all the subsequent packets in this flow
drop-> drop the current packet
log-> log the current packet
pass-> mark the current packet as passed
There are also what are known as "active responses" that perform some action in response to the packet being detected:
react-> send response to client and terminate session.
reject-> terminate session with TCP reset or ICMP unreachable
rewrite-> enables overwrite packet contents based on a "replace" option in the rules
The desired action for a given rule is the very first thing declared in a rule.
alert http (msg:"Generate an alert"; sid:1;)
drop http (msg:"Drop this packet"; sid:2;)
block http (msg:"Block this packet and subsequent ones"; sid:3;)