Rule Actions

Rule actions tell Snort how to handle matching packets. There are five basic actions:

  • alert -> generate an alert on the current packet
  • block -> block the current packet and all the subsequent packets in this flow
  • drop -> drop the current packet
  • log -> log the current packet
  • pass -> mark the current packet as passed

There are also what are known as "active responses" that perform some action in response to the packet being detected:

  • react -> send response to client and terminate session.
  • reject -> terminate session with TCP reset or ICMP unreachable
  • rewrite -> enables overwrite packet contents based on a "replace" option in the rules

The desired action for a given rule is the very first thing declared in a rule.


alert http (msg:"Generate an alert"; sid:1;)
drop http (msg:"Drop this packet"; sid:2;)
block http (msg:"Block this packet and subsequent ones"; sid:3;)