I'm writing a strict snort rule parser and I would like to accommodate snort rules from popular plugins. The documentation specifies that any action/type is possible because they can be defined by plugins. However, I would like to have a list of known actions to lookup against in order to throw warnings to users.
Currently, I know of the following snort actions:
alert
log
pass
activate
dynamic
drop
sdrop
reject
Are there any other custom actions that you use or know of?
Custom actions are defined by ruletype declarations in snort.conf; these custom actions can then be used in your rules. From the default snort.conf:
# You can optionally define new rule types and associate one or more output
# plugins specifically to that type.
#
# This example will create a type that will log to just tcpdump.
# ruletype suspicious
# {
# type log
# output log_tcpdump: suspicious.log
# }
#
# EXAMPLE RULE FOR SUSPICIOUS RULETYPE:
# suspicious tcp $HOME_NET any -> $HOME_NET 6667 (msg:"Internal IRC Server";)
Because ruletypes can be completely arbitrary, it makes more sense to parse the snort.conf file for any ruletypes defined first and then use that in your rule parser's action hash or whatever to match against.
This may be a good starting point. I don't believe these are the default.
block and sblock were added in 2.9.0.5 (or thereabouts). See the manual for specifics. They're essentially mirrors for drop and sdrop.
