doc/userguide: list valid rule actions

author Victor Julien <victor@inliniac.net>

Sat, 13 Jun 2020 21:35:40 +0000 (23:35 +0200)

committer Victor Julien <victor@inliniac.net>

Sun, 28 Jun 2020 13:20:56 +0000 (15:20 +0200)
author Victor Julien <victor@inliniac.net>
Sat, 13 Jun 2020 21:35:40 +0000 (23:35 +0200)
committer Victor Julien <victor@inliniac.net>
Sun, 28 Jun 2020 13:20:56 +0000 (15:20 +0200)
diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst

index fe6cdbcd800418487f8bbd5938e317a00d667891..ef400546649ee2d273479613ad472a09777506e6 100644 (file)
--- a/doc/userguide/rules/intro.rst
+++ b/doc/userguide/rules/intro.rst
@@ -44,6 +44,18 @@ Action
  
      :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
  
+Valid actions are:
+
+* alert - generate an alert
+* pass - stop further inspection of the packet
+* drop - drop packet and generate alert
+* reject - send RST/ICMP unreach error to the sender of the matching packet.
+* rejectsrc - same as just `reject`
+* rejectdst - send RST/ICMP error packet to receiver of the matching packet.
+* rejectboth - send RST/ICMP error packets to both sides of the coversation.
+
+.. note:: In IPS mode, using any of the `reject` actions also enables `drop`.
+
  For more information see :ref:`suricata-yaml-action-order`.
author	Victor Julien <victor@inliniac.net>
	Sat, 13 Jun 2020 21:35:40 +0000 (23:35 +0200)
committer	Victor Julien <victor@inliniac.net>
	Sun, 28 Jun 2020 13:20:56 +0000 (15:20 +0200)