How to effectively block all traffic which matches priority/severity level 1?

I have enabled many sources via suricata-update (which get updates via cron.weekly).
And now want to block inbound, outbound traffic which matches severity level 1.

Could be something like, for each classtype:

sed '/classtype:policy-violation/s/^alert/drop/g' \
  /var/lib/suricata/rules/suricata.rules \
  > /var/lib/suricata/rules/custom.rules

Is there a direct way via config file to drop such traffic?
Where to find information about classtype - priority/severity relations?

Web-viewer: evebox
Suricata version: 7.0.0
OS: Debian GNU/Linux 12 (bookworm)
Installed from backports packages.
IPS/inline mode using nftables.

I’ve replaced it by:

sed -e '/signature_severity Major/s/^alert/drop/g' \
  /var/lib/suricata/rules/suricata.rules \
  > /var/lib/suricata/rules/custom.rules

But still, not all rules have signature_severity.

For the signature_severity, as this is rule metadata, you can do rule metadata matching in your drop.conf:

For classtype, at this time you’d have to use regular expressions in your drop.conf.

Great! Thanks. Didn’t know about it.

I was reading just only manual page - suricata-update(1).
There is no information about
Would be nice if there was that link.

Finally, I’ve found how that manpage was created for Debian dist:

  2. then via help2man which adds --help to program, so it becomes suricata-update --help

For groff(7) output (which produces help2man), URL probably should be placed within .UR and .UE macros, see groff_man(7).
In case it is entirely rewritten in mdoc(7) then need to use .Lk macro.

Heh, I was about to ask, “there’s a man page for suricata-update?”

@satta Do you maintain that? Could a link be added to the online docs?

Done. See include link to online documentation in manpage (85ddc599) · Commits · suricata packaging team / pkg-suricata-update · GitLab

The manpage now includes a link: