Snort: How to block suspicious Traffic?

Snort comes by default (Debian) with a bunch of Rules. The are all configured as „Alert“. When I want to block suspicious traffic (IPS-Mode), do I need to change all Rules from Alert to Block or is there another mechanism?

What is best practice?

According to documentation: https://www.snort.org/faq/readme-filters You can set filters.

detection_filter is a new rule option that replaces the current threshold keyword in a rule. It defines a rate which must be exceeded by a source or destination host before a rule can generate an event.

rate_filter provides rate based attack prevention by allowing users to configure a new action to take for a specified time when a given rate is exceeded.

event_filter is a standalone command which replaces 'threshold', which is now obsolete. event_filters reduce the amount of data logged.

Using snort locally installed on your production server is not a good idea. since in case of an attack, it uses the resources of your local server to protect the service, and this causes the resource overload and the service itself goes down.

it's a good idea to separate this type of service(IDP(Intrusion-Detection_Prevention)) from your production servers.

Another suggestion is to use pfSense instead. Pfsense is a BSD-based (FreeBSD) firewall with Snort and many other components enabled on it with a great nice and clean GUI. Although I'm a great fan of command-line, but in some cases, especially attacks, ease of use is a plus point.