Recently I installed Snort on my Ubuntu server 18.04 And also wrote some rules in local.rules . it will perfectly detect my rules like ping , simple dos attacks etc.

I have 4 questions :

1. How can i block specific ip address , in Snort Detection rules ? (for example in dos detection rules)

2. Does Snort store any data about detection like IPs, contents etc. in some database ? with apt-get install snort , mysql has been installed to .

3. Is it possible to run a script on alert ?

4. When i used reject action and start snort in console mode , I got

connection refused

error on ssh , and cant login to ssh anymore until restart the server . The rule is :

reject tcp any any -> $HOME_NET any (msg:"simple dos attack"; threshold:type both, count 50 , seconds 5 , track by_dst ; sid:1000001 )