I have enabled many sources via
suricata-update (which get updates via cron.weekly).
And now want to block inbound, outbound traffic which matches severity level 1.
Could be something like, for each classtype:
sed '/classtype:policy-violation/s/^alert/drop/g' \
Is there a direct way via config file to drop such traffic?
Where to find information about classtype - priority/severity relations?
Suricata version: 7.0.0
OS: Debian GNU/Linux 12 (bookworm)
Installed from backports packages.
IPS/inline mode using nftables.
I’ve replaced it by:
sed -e '/signature_severity Major/s/^alert/drop/g' \
But still, not all rules have
signature_severity, as this is rule metadata, you can do rule metadata matching in your
classtype, at this time you’d have to use regular expressions in your
Great! Thanks. Didn’t know about it.
I was reading just only manual page - suricata-update(1).
There is no information about https://suricata-update.readthedocs.io/.
Would be nice if there was that link.
Finally, I’ve found how that manpage was created for Debian dist:
- then via
help2man which adds
--help to program, so it becomes
For groff(7) output (which produces
help2man), URL probably should be placed within
.UE macros, see groff_man(7).
In case it is entirely rewritten in mdoc(7) then need to use .Lk macro.
Heh, I was about to ask, “there’s a man page for suricata-update?”
@satta Do you maintain that? Could a link be added to the online docs?