I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by plugins. However, I would like to have a list of known actions to lookup against in order to throw warnings to users.
Currently, I know of the following snort actions:
alert
log
pass
activate
dynamic
drop
sdrop
reject
Are there any other custom actions that you use or know of?
Best Answer
Custom actions are defined by ruletype declarations in snort.conf; these custom actions can then be used in your rules. From the default snort.conf:
Because ruletypes can be completely arbitrary, it makes more sense to parse the snort.conf file for any ruletypes defined first and then use that in your rule parser's action hash or whatever to match against.