- Router,DrayOS 5
I. Product Setup Guides
ExpiredHow to run Suricata on the Vigor 3912S
The Vigor 3912S supports Linux applications utilising its internal SSD. The ‘S’ model enables Ubuntu, Docker, VigorConnect, Suricata and many more.
In this guide, we concentrate on Suricata — the renowned open-source IDS (Intrusion Detection System) that helps protect your network. With more than 60,000 rules (including over 6,000 CVE definitions) it can alert the network administrator to threats such as malware, network intrusions, DoS attacks and data-breaches.
We will cover configuration, Suricata category selection, monitoring, and notifications using the Smart Action feature.
Here are the steps that enable Suricata on your Vigor 3912S.
Note 1: Please make sure that your router is connected to the Internet so that the latest software can be downloaded.
Note 2: Enabling the Linux SSH service is optional, but strongly recommended (see below).
Step 1. Configuration of the Linux Application layer on the router
The [Linux Application] > [General Setup] page should be configured so that pre-installed or new Docker-compatible applications can be run on the router.
The Linux IP address and Linux Gateway IP address fields must be populated with the IP address and network range of your choice.
Step 2. Enable Suricata
Go to [Linux Applications] > [Suricata], and Enable the options: Suricata Core Auto Update and Suricata Rule Auto Update. These enable daily checks for the latest version, which will be installed automatically.
Notes:
- Core Base: Two Core Base options are available: v3912-r1 uses Suricata 6.0.x; v3912-r2 uses Suricata 7.0.x — the current version is displayed next to the Core Base drop-down menu.
- The Core Auto Update process runs every 24 hours (typically ~6:30 am local time) to check for the latest core image. Once downloaded, the new image will be used after the next router reboot.
- Even if the core image does not update, some rule sets may still be refreshed via the SOP process.
Step 3. Select relevant rules
Suricata supports over 60,000 rules (including 6,000+ CVE definitions). These rules come with four priority levels (1 being the highest). Use the Select/Clear All (x) buttons to activate specific categories.
Once rules are selected, Suricata will detect network activity accordingly — and if any rule is changed, the Vigor 3912S will reload the Suricata service.
Step 4. View logs
Navigate to [Linux Applications] > [Log Collector]. Select the time range and set Facility = SURICATA so you can see the network events detected by Suricata.
Be aware: not every logged event is necessarily malicious. Review each event to establish whether action is required — if it’s benign, you may wish to disable the corresponding rule under Rule Setup.
Step 5. (Optional) Enable Smart Action notifications
You may configure automatic notifications for Suricata-detected events via [Applications] > [Smart Action]:
- Event Category: System
- Event Type: Log Keyword Match
- Keyword Content: .* (matches all logs)
- Keyword Type: REGEX or TEXT
REGEX (Regular Expression) supports patterns; TEXT only plain string - Count: 1
- Time Span: 0 seconds (so any matching event triggers a notification)
- Facility: SURICATA
- Level: INFO(6)
- Action Category: System
- Action Type: Web Notification
Once configured, any event matching your criteria will trigger a web notification (via the little bell icon).
Step 6. Monitoring and statistics
You can view all rule-match counts on the Statistics page — hover the mouse over the offending point in the graph to see the number of occurrences of that threat, and click it to see a more detailed breakdown.
Step 7. Blocking actions
In current firmware version, you can use the following:
- [Firewall] > [DoS Defence]: enable DoS defence if you wish to have Suricata’s detections trigger blocks.
- [Diagnostics] > [Data Flow Monitor]: enable this to support the blocking capability.
- Using Smart Action profiles, you can block IP addresses automatically when certain keywords (e.g., MALWARE, Exploit, Phishing, WORM, DOS) or priority-1 rules are matched. Within the Smart Action profile:
- Event Type: Log Keyword Match
- Keyword (REGEX): e.g. (MALWARE|Exploit|Phishing|WORM|DOS)
- Facility: SURICATA
- Action: Block IP
- Choose whether to block the source IP (First IP/Private IP) or destination IP (Second IP/Public IP) or both (in which case Private IP will be blocked).
Step 8. Checking block logs
To verify whether automatic blocks worked:
- Go to [Linux Applications] > [Log Collector]; select a date range; set Facility to “OTHERS” and search for keyword “block”. A log entry such as smart action[7] … result: succ means Smart Action index 7 successfully blocked a connection.
- Then go to [System Maintenance] > [Management] > [Blocked IP List]: this table will list the blocked IP and block-duration (BFP Block Time).
- To check what Suricata detected for that IP, select Facility = SURICATA and search again.
- If an IP was blocked even though it shouldn’t have been, you can unblock it from the Blocked IP List. If you intend to block it permanently, you may add it to the IP Blacklist via [Firewall] > [Defence Setup].
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.