Snort, Firewall and IDS Logs. What actions are taken after a match is found?

Firewalls and Intrusion Detection Systems (IDS) are often deployed to partially automate the traffic monitoring task. Both firewalls and IDSs match incoming traffic against administrative rules. Firewalls usually compare the packet header against a rule set while IDSs often use the packet payload for rule set comparison. Because firewalls and IDSs apply the pre-defined rules to different portions of the IP packet, IDS and firewall rules have different structures. While there is a difference in rule structure, some similarities between the components of the rules remain. For example, both firewall and IDS rules contain matching components and action components.
What actions are taken after a match is found?

---

Actions are taken after a match is found:

? Matching component - specifies the packet elements of interest, such as: packet source; the
packet destination; transport layer protocols and ports; and data included in the packet payload.
? Action component - specifies what should be done with that packet that matches a component,
such as: accept and forward the packet; drop the packet; or send the packet to a secondary rule
set for further inspection.
A common firewall design is to drop packets by default while manually specifying what traffic should
be allowed. Known as dropping-by-default, this design has the advantage of protecting the network
from unknown protocols and attacks. As part of this design, it is common to log the events of dropped packets since these are packets that were not explicitly allowed and therefore, infringe on the organiza-
tion’s policies. Such events should be recorded for future analysis.