| Search Site |
| Search Rules |
| Account |
| not registered? |
| can't login? |
| user preferences |
 |
 |
|
|||||||||||||||||||
Next: Protocols Up: Rules Headers Previous: Rules Headers Contents
Rule Actions
The rule header contains the information that defines the who, where, and what of a packet, as well as what to do in the event that a packet with all the attributes indicated in the rule should show up. The first item in a rule is the rule action. The rule action tells Snort what to do when it finds a packet that matches the rule criteria. There are 5 available default actions in Snort, alert, log, pass, activate, and dynamic. In addition, if you are running Snort in inline mode, you have additional options which include drop, reject, and sdrop.
- alert - generate an alert using the selected alert method, and then log the packet
- log - log the packet
- pass - ignore the packet
- activate - alert and then turn on another dynamic rule
- dynamic - remain idle until activated by an activate rule , then act as a log rule
- drop - make iptables drop the packet and log the packet
- reject - make iptables drop the packet, log it, and then send a TCP reset if the protocol is TCP or an ICMP port unreachable message if the protocol is UDP.
- sdrop - make iptables drop the packet but does not log it.
This example will create a type that will log to just tcpdump:
ruletype suspicious
{
type log
output log_tcpdump: suspicious.log
}
This example will create a rule type that will log to syslog and a MySQL database:
ruletype redalert
{
type alert
output alert_syslog: LOG_AUTH LOG_ALERT
output database: log, mysql, user=snort dbname=snort host=localhost
}
Next: Protocols Up: Rules Headers Previous: Rules Headers Contents Steven Sturges 2007-10-04
| site feedback | Terms of Use | Privacy Policy | forum archives ©2008 Snort and Sourcefire are registered trademarks of Sourcefire, Inc. All rights reserved. |