SELKS
Intro
SELKS is a free and open source Debian-based IDS/IPS/Network Security
Monitoring platform released under GPLv3 from Stamus Networks
(https://www.stamus-networks.com/).
SELKS can be installed via docker compose on any Linux or Windows OS.
Once installed it is ready to use out of the box solution.
SELKS ISOs are also available for air gapped environment or bare metal
or VM installation.
{.align-center}
SELKS is comprised of the following major components:
- S - Suricata IDPS/NSM - https://suricata.io/
- E - Elasticsearch - https://www.elastic.co/products/elasticsearch
- L - Logstash - https://www.elastic.co/products/logstash
- K - Kibana - https://www.elastic.co/products/kibana
- S - Scirius - https://github.com/StamusNetworks/scirius
- EveBox - https://evebox.org/
- Arkime - https://arkime.com/
- CyberChef - https://github.com/gchq/CyberChef
The acronym was established before the addition of Arkime, EveBox and
CyberChef.
And it includes preconfigured dashboards like this one:
{.align-center}
What is SELKS
Suricata
SELKS is a showcase of what Suricata IDS/IPS/NSM can do and the network
protocol monitoring logs and alerts it produces. As such any and all
data in SELKS is generated by Suricata:
{.align-center}
Threat Hunting
The usage of Suricata data is further enhanced by Stamus' developed
Scirius, a threat hunting interface. The interface is specifically
designed for Suricata events and combines a drill down approach to pivot
for quick exploration of alerts and NSM events. It includes predefined
hunting filters and enhanced contextual views:
{.align-center}
{.align-center}
Logs
An example subset (not complete) of raw JSON logs generated by Suricata
can be found
here.
Information
If you are a new to Suricata, you can read a series of articles we wrote
about The other side of
Suricata.
Dashboards
SELKS has by default over 28 default dashboards, more than 400
visualizations and 24 predefined searches available.
Here is an extract of the dashboards list: SN-ALERTS, SN-ALL,
SN-ANOMALY, SN-DHCP, SN-DNS, SN-DNP3, SN-FILE-Transactions, SN-FLOW,
SN-HTTP, SN-HUNT-1, SN-IDS, SN-IKEv2, SN-KRB5, SN-MQTT, SN-NFS,
SN-OVERVIEW, SN-RDP, SN-RFB, SN-SANS-MTA-Training, SN-SIP, SN-SMB,
SN-SMTP, SN-SNMP, SN-SSH, SN-STATS, SN-TLS, SN-VLAN, SN-TFTP,
SN-TrafficID
Additional visualizations and dashboards are also available in the
Events viewer (EveBox).
Getting SELKS
Prerequisites
The minimal configuration for production usage is 2 cores and 9 Gb of
memory. As Suricata and Elastisearch are multithreaded, the more cores
you have the better it is. Regarding memory, the more traffic to monitor
you have, the more getting some extra memory will be interesting.
Docker
You can spin up SELKS on any Linux or Windows OSes in minutes via docker
compose. See Docker
Installation.
ISO
For air gapped environement or full OS installation, see SELKS ISO
Setup.
Usage and logon credentials
You need to authenticate to access to the web interface(see the
HTTPS access section below ). The default user/password is
selks-user/selks-user (including through the Dashboards or Scirius
desktop icons). You can change credentials and user settings by using
the top left menu in Scirius.
For the ISO users
Default OS user:
- user:
selks-user - password:
selks-user(password in Live mode islive)
The default root password is StamusNetworks
HTTPS access
If you wish to remotely (from a different PC on your network) access the
dashboards you could do that as follows (in your browser):
- https://your.selks.IP.here/ - Scirius ruleset management and a
central point for all dashboards and EveBox
You need to authenticate to access to the web interface. The default
user/password is the same as for local access: selks-user/selks-user.
Don't forget to change credentials at first login. You can do that by
going to Account settings in the top left dropdown menu of Scirius.
Getting help
You can get more information on SELKS wiki:
https://github.com/StamusNetworks/SELKS/wiki
You can get help about SELKS on our Discord channel
https://discord.gg/h5mEdCewvn
If you encounter a problem, you can open a ticket on
https://github.com/StamusNetworks/SELKS/issues
Enterprise scale Deployments
While SELKS is suitable as a production network security solution in
small to medium sized organizations and is a great system to test out
the power of Suricata for intrusion detection and threat hunting, it was
never designed to be deployed in an enterprise setting. For enterprise
applications, please review our commercial solution, Stamus Security
Platform (SSP).
Stamus Security Platform (Commercial Solution)
Stamus Security Platform (SSP) is the commercial network-based threat
detection and response solution from Stamus Networks. While it retains
much of the same look and feel as SELKS, SSP is a completely different
system and requires a new software installation.
Available in two license tiers, SSP delivers:
Broad-Spectrum Threat Detection
- Multiple detection mechanisms from machine learning, anomaly
detection, and signatures - High-fidelity "Declarations of Compromise" with multi-stage attack
timeline - Weekly threat intelligence updates from Stamus Labs
Guided Threat Hunting and Incident Investigation
- Advanced guided threat hunting filters
- Host insights tracks over 60 security-related attributes
- Easily convert hunt results into custom detection logic
- Explainable and transparent results with evidence
Enterprise Scale Management and Integration
- Automated classification and alert triage
- Management of multiple probes from single console
- Seamless integration with SOAR, SIEM, XDR, EDR, IR
- Multi-tenant operation
- Configuration backup and restoration
More Information about SSP
Visit this page to request a demo of
SSP
To learn more about the differences between SELKS and our commercial
solutions, please read through "Understanding SELKS and Stamus
Commercial Platforms" Download the white paper
here.