From: Victor Julien <victor@inliniac.net>
Date: Sat, 13 Jun 2020 21:35:40 +0000 (+0200)
Subject: doc/userguide: list valid rule actions
X-Git-Tag: suricata-6.0.0-beta1~306
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e6330c354dcb1293233e31867ce554d4cdcc981e;p=thirdparty%2Fsuricata.git

doc/userguide: list valid rule actions
---

diff --git a/doc/userguide/rules/intro.rst b/doc/userguide/rules/intro.rst
index fe6cdbcd80..ef40054664 100644
--- a/doc/userguide/rules/intro.rst
+++ b/doc/userguide/rules/intro.rst
@@ -44,6 +44,18 @@ Action
 
     :example-rule-emphasis:`drop` tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Likely Bot Nick in IRC (USA +..)"; flow:established,to_server; flowbits:isset,is_proto_irc; content:"NICK "; pcre:"/NICK .*USA.*[0-9]{3,}/i"; reference:url,doc.emergingthreats.net/2008124; classtype:trojan-activity; sid:2008124; rev:2;)
 
+Valid actions are:
+
+* alert - generate an alert
+* pass - stop further inspection of the packet
+* drop - drop packet and generate alert
+* reject - send RST/ICMP unreach error to the sender of the matching packet.
+* rejectsrc - same as just `reject`
+* rejectdst - send RST/ICMP error packet to receiver of the matching packet.
+* rejectboth - send RST/ICMP error packets to both sides of the coversation.
+
+.. note:: In IPS mode, using any of the `reject` actions also enables `drop`.
+
 For more information see :ref:`suricata-yaml-action-order`.