Hi,
I have enabled many sources via suricata-update (which get updates via cron.weekly).
And now want to block inbound, outbound traffic which matches severity level 1.
Could be something like, for each classtype:
sed '/classtype:policy-violation/s/^alert/drop/g' \
/var/lib/suricata/rules/suricata.rules \
> /var/lib/suricata/rules/custom.rules
Is there a direct way via config file to drop such traffic?
Where to find information about classtype - priority/severity relations?
Web-viewer: evebox
Suricata version: 7.0.0
OS: Debian GNU/Linux 12 (bookworm)
Installed from backports packages.
IPS/inline mode using nftables.
UPD
I’ve replaced it by:
sed -e '/signature_severity Major/s/^alert/drop/g' \
/var/lib/suricata/rules/suricata.rules \
> /var/lib/suricata/rules/custom.rules
I was reading just only manual page - suricata-update(1).
There is no information about https://suricata-update.readthedocs.io/.
Would be nice if there was that link.
Finally, I’ve found how that manpage was created for Debian dist:
then via help2man which adds --help to program, so it becomes suricata-update --help
For groff(7) output (which produces help2man), URL probably should be placed within .UR and .UE macros, see groff_man(7).
In case it is entirely rewritten in mdoc(7) then need to use .Lk macro.