You want to block an attack in real time.
There are two possible solutions. If you wish to terminate a particular connection, you should use the session termination as described in the Recipe 2.27 recipe. If, however, you wish to prevent the attacker from trying again, you should use the inline IDS described in the Recipe 7.4 recipe.
Active response, or intrusion prevention, varies in popularity. You should seriously consider the potential implications of its use, as it can be turned against you to produce a denial of service attack.
A malicious attacker can easily spoof an attack from what would normally be a legitimate IP addressfor example, that of a regular customer. This would then be automatically excluded by the firewall, cutting off the legitimate user. This feature, while potentially very useful, can also be very dangerous. Please use with care.
Beale, Jay. Snort 2.1 Intrusion Detection. Rockland, MA: Syngress, 2004.
Installing Snort from Source on Unix
Logging to a File Quickly
How to Build Rules
Detecting Stateless Attacks and Stream Reassembly
Managing Snort Sensors
Generating Statistical Output from Snort Logs
Monitoring Network Performance