Vigor3912S Series Linux Application DockerSpecifications

• Product: Vigor 3912S Router
• Intrusion Detection System: Suricata IDS
• Rules: Over 60,000 rules including 6,000+ CVE definitions
• Priority Levels: 4 levels with 1 being the highest priority

Product Usage Instructions

• Configuration of the Linux Application Layer
  • Configure the Linux Application settings on the router by setting the Linux IP address and Linux Gateway IP address.
  • Activate the Linux SSH service for enhanced security.
• Suricata Installation

• • Navigate to [Linux Applications] > [Suricata] and enable Suricata.
  • Enable Suricata Core Auto Update and Suricata Rule Auto Update for automatic updates.
• Rule Selection
  • Select the appropriate rules based on priority levels. Use the Select/Clear All buttons to activate specific categories.
• Network Event Monitoring
  • Visit [Linux Applications] > [Log Collector] to view network events detected by Suricata.
  • Determine if the detected events require action or can be ignored.
• Optional: Smart Action Setup
  • Enable Smart Action to receive notifications for events.
  • Configure Event Category, Type, Content, Facility, Level, and Action Type as needed.
• Monitoring
  • Check for notifications using the bell icon and monitor Suricata rule-matched counts on the Statistics page.

How to install Suricata IDS on the Vigor 3912S routers?
The Vigor 3912S routers can run multiple applications on its built-in SSD drive. There is some software already preinstalled to make this process even quicker. By default, Suricata, VigorConnect, and other applications are available on the router.

Thanks to Docker and the router’s WUI integration, enabling Suricata is a matter of a few mouse clicks.
This article depicts the activation process of Suricata IDS on the Vigor 3912S routers.

Note
please make sure that the router is connected to the Internet so that the latest version of software is used

• Configuration of the Linux Application layer on the router
  • The [Linux Application] > [General Setup] page should be configured so that pre-installed or new Docker-compatible applications can be run on the router.
  • The Linux IP address and Linux Gateway IP address fields must be populated with the IP address and network range of your choice.

Activation of the AC Linux SSH service, although optional, is highly recommended.

• Navigate to [Linux Applications] > [Suricata], select Enable, and the Suricata Core
  • Auto Update and Suricata Rule Auto Update options check daily for the latest version which is then automatically installed.

Notes

1. Core Base – two core base options are available. V3912-r1 uses Suricata version 6.0.x; v3912-r2 uses Suricate version 7.0.x; The current Suricata version will be shown next to the Core Base drop-down menu.
2. Suricata Core Auto Update is run every 24 hours to check for the latest core image. Once downloaded, the new image will be used after the next router reboot.
3. Suricata Core Auto Update – this process should run at around 6:30 am local time (each day). If the core image isn’t updated, some Suricata rules may have received an update thanks to the core image SOP process that detects and updates the rules.

• With over 60k rules, including the 6k+ CVE definitions, it is worth selecting the right one.

Note
Once some rules have been selected, Suricata helps to detect the network activities. If the Suricata rule changes, Vigor 3912S will reload the Suricata service.

• Go to [Linux Applications] > [Log Collector]. Select the time range and SURICATA as the Facility to view the network events that SURICATA detected. The detected events may not all be the bad ones. We have to check which network event triggers the log and determine the further action. If the network event is the normal one, we can deselect the specific class rule from the Rule Setup.
  
• (optional) Enable Smart Action to receive the Suricata notifications

1. Select System for the Event Category
2. Select Log Keyword Match for the Event Type
3. Enter .* in the Keyword Content. That means any log.
4. Keyword Type REGEX or TEXT REGEX stands for Regular Expression, which allows us to use the defined pattern to search. TEXT is the string, usually not used with special characters.
5. Count 1 Time Span 0 seconds means to send web notification for any event.
6. Select SURICATA for the  Facility
7. Select INFO(6) for Level.
8. Select System for the Action Category
9. Select Web Notification for the Action Type

• Monitoring The little bell button indicates any new notifications.

• The little bell button indicates any new notifications.

FAQs

Q: How often does Suricata Core Auto Update run?
Suricata Core Auto Update runs every 24 hours to check for the latest core image.

Q: What should I do if some Suricata rules are not updating?
If the core image isn’t updated, some rules may still receive updates through the core image SOP process that detects and updates rules. There are 4 priority levels. Use the Select/Clear All (x) buttons to activate the specific category. Number 1 is the highest priority (out of 4).

Documents / Resources

Draytek Vigor3912S Series Linux Application Docker [pdf] Owner's Manual Vigor3912S Series, Vigor3912S Series Linux Application Docker, Linux Application Docker, Application Docker, Docker

References

• User Manual