• Stars
    star
    1,420
  • Rank 33,128 (Top 0.7 %)
  • Language
    Shell
  • License
    GNU General Publi...
  • Created over 10 years ago
  • Updated 3 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A Suricata based IDS/IPS/NSM distro

SELKS

Intro

SELKS is a free and open source Debian-based IDS/IPS/Network Security Monitoring platform released under GPLv3 from Stamus Networks (https://www.stamus-networks.com/).

SELKS can be installed via docker compose on any Linux or Windows OS. Once installed it is ready to use out of the box solution.

SELKS ISOs are also available for air gapped environment or bare metal or VM installation.

SELKS 7

SELKS is comprised of the following major components:

The acronym was established before the addition of Arkime, EveBox and CyberChef.

And it includes preconfigured dashboards like this one:

Example view

What is SELKS

Suricata

SELKS is a showcase of what Suricata IDS/IPS/NSM can do and the network protocol monitoring logs and alerts it produces. As such any and all data in SELKS is generated by Suricata:

Suricata

Threat Hunting

The usage of Suricata data is further enhanced by Stamus' developed Scirius, a threat hunting interface. The interface is specifically designed for Suricata events and combines a drill down approach to pivot for quick exploration of alerts and NSM events. It includes predefined hunting filters and enhanced contextual views:

Stamus

Stamus

Logs

An example subset (not complete) of raw JSON logs generated by Suricata can be found here.

Information

If you are a new to Suricata, you can read a series of articles we wrote about The other side of Suricata.

Dashboards

SELKS has by default over 28 default dashboards, more than 400 visualizations and 24 predefined searches available.

Here is an extract of the dashboards list: SN-ALERTS, SN-ALL, SN-ANOMALY, SN-DHCP, SN-DNS, SN-DNP3, SN-FILE-Transactions, SN-FLOW, SN-HTTP, SN-HUNT-1, SN-IDS, SN-IKEv2, SN-KRB5, SN-MQTT, SN-NFS, SN-OVERVIEW, SN-RDP, SN-RFB, SN-SANS-MTA-Training, SN-SIP, SN-SMB, SN-SMTP, SN-SNMP, SN-SSH, SN-STATS, SN-TLS, SN-VLAN, SN-TFTP, SN-TrafficID

Additional visualizations and dashboards are also available in the Events viewer (EveBox).

Getting SELKS

Prerequisites

The minimal configuration for production usage is 2 cores and 9 Gb of memory. As Suricata and Elastisearch are multithreaded, the more cores you have the better it is. Regarding memory, the more traffic to monitor you have, the more getting some extra memory will be interesting.

Docker

You can spin up SELKS on any Linux or Windows OSes in minutes via docker compose. See Docker Installation.

ISO

For air gapped environement or full OS installation, see SELKS ISO Setup.

Usage and logon credentials

You need to authenticate to access to the web interface(see the HTTPS access section below ). The default user/password is selks-user/selks-user (including through the Dashboards or Scirius desktop icons). You can change credentials and user settings by using the top left menu in Scirius.

For the ISO users

Default OS user:

  • user: selks-user
  • password: selks-user (password in Live mode is live)

The default root password is StamusNetworks

HTTPS access

If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):

You need to authenticate to access to the web interface. The default user/password is the same as for local access: selks-user/selks-user. Don't forget to change credentials at first login. You can do that by going to Account settings in the top left dropdown menu of Scirius.

Getting help

You can get more information on SELKS wiki: https://github.com/StamusNetworks/SELKS/wiki

You can get help about SELKS on our Discord channel https://discord.gg/h5mEdCewvn

If you encounter a problem, you can open a ticket on https://github.com/StamusNetworks/SELKS/issues

Enterprise scale Deployments

While SELKS is suitable as a production network security solution in small to medium sized organizations and is a great system to test out the power of Suricata for intrusion detection and threat hunting, it was never designed to be deployed in an enterprise setting. For enterprise applications, please review our commercial solution, Stamus Security Platform (SSP).

Stamus Security Platform (Commercial Solution)

Stamus Security Platform (SSP) is the commercial network-based threat detection and response solution from Stamus Networks. While it retains much of the same look and feel as SELKS, SSP is a completely different system and requires a new software installation.

Available in two license tiers, SSP delivers:

Broad-Spectrum Threat Detection

  • Multiple detection mechanisms from machine learning, anomaly detection, and signatures
  • High-fidelity “Declarations of Compromise” with multi-stage attack timeline
  • Weekly threat intelligence updates from Stamus Labs

Guided Threat Hunting and Incident Investigation

  • Advanced guided threat hunting filters
  • Host insights tracks over 60 security-related attributes
  • Easily convert hunt results into custom detection logic
  • Explainable and transparent results with evidence

Enterprise Scale Management and Integration

  • Automated classification and alert triage
  • Management of multiple probes from single console
  • Seamless integration with SOAR, SIEM, XDR, EDR, IR
  • Multi-tenant operation
  • Configuration backup and restoration

More Information about SSP

Visit this page to request a demo of SSP

To learn more about the differences between SELKS and our commercial solutions, please read through "Understanding SELKS and Stamus Commercial Platforms" Download the white paper here.

More Repositories

1

scirius

Scirius is a web application for Suricata ruleset management and threat hunting.
Python
620
star
2

Amsterdam

Docker based Suricata, Elasticsearch, Logstash, Kibana, Scirius aka SELKS
Python
183
star
3

gophercap

Accurate, modular, scalable PCAP manipulation tool written in Go.
Go
84
star
4

suricata-language-server

Suricata Language Server is an implementation of the Language Server Protocol for Suricata signatures. It adds syntax check, hints and auto-completion to your preferred editor once it is configured.
Python
60
star
5

suricata-4-analysts

The Security Analyst’s Guide to Suricata
Python
49
star
6

KTS5

Kibana 5 Templates for Suricata IDPS
Python
43
star
7

KTS7

Kibana 7 Templates for Suricata IDPS Threat Hunting
38
star
8

KTS

Kibana 4 Templates for Suricata IDPS
Shell
33
star
9

suricata-analytics

Jupyter Notebook
25
star
10

KTS6

Kibana 6 Templates for Suricata IDPS Threat Hunting
Python
25
star
11

surimisp

Check IOC provided by a MISP instance on Suricata events
Python
17
star
12

ansible-misp

Ansible playbook to install Malware Information Sharing Platform (MISP)
17
star
13

bpfctrl

Utility based on bpftool to manage eBPF maps
Python
12
star
14

stamus_for_splunk

The Stamus Networks App for Splunk allows Splunk Enterprise users to extract information and insights from both the Stamus Security Platform and open source Suricata sensors.
Python
11
star
15

scirius-docker

Scirius docker container
Shell
9
star
16

suricata-docker

Python
7
star
17

selks-scripts

SELKS scripts
Shell
7
star
18

stamus-luajit-scripts

Stamus luajit scripts for use with Suricata IDPS
Lua
4
star
19

suricata-ls-vscode

VScode part of the Suricata Language Server
TypeScript
3
star
20

pktcity-js

3D visualization of Suricata alerts
JavaScript
2
star
21

labs

Stamus Labs content
1
star
22

stamus-qa-docker

Dockerfile used for QA
Dockerfile
1
star