SELKS is a turnkey Suricata-based IDS/IPS/NSM ecosystem that combines several free, open-source tools into one ready-to-use platform. Stamus Networks created SELKS in order to showcase the power of Suricata by providing a platform to the open-source community. However many Suricata users are unaware of how SELKS and its components could fit their needs for a network security monitoring (NSM) and/or intrusion detection system (IDS) solution. For the open-source enthusiast, network security beginner, or small to medium business without the budget for an enterprise level solution, SELKS could be the gateway into Suricata that you’ve been searching for.
For those unfamiliar with the SELKS ecosystem, we want to highlight the individual components that make it such a powerful free Suricata-based platform.
What Does SELKS Stand For?
SELKS was named after its essential five parts:
- Stamus Community Edition (formerly known as Scirius)
Additionally, SELKS now includes Arkime, EveBox, and CyberChef that were added after the name was created. Let's take a closer look at each of these components.
Most network security professionals are at least somewhat familiar with Suricata. It is an open-source based intrusion detection and intrusion prevention system (IDS/IPS). Initially released in 2010, Suricata has become one of the most popular network security tools in the world. As Stamus Networks is firmly rooted in the world of Suricata, it was only natural to base our same open-source tool on the network security engine we did for our commercial offering (Stamus Security Platform). Suricata is the heart of SELKS, providing effective signature-based detection, deep packet inspection, and real-time network traffic analysis while also giving the user NSM functions like protocol transaction and flow record logging
Elasticsearch is the open-source data lake where all of the SELKS Suricata event data gets stored. Using Elasticsearch, SELKS users can quickly and easily sort through all their network data and security logs. When combined with Logstash and Kibana, Elasticsearch gives SELKS users a complete open-source log management system, allowing them to store and search through their logs in an effective and efficient way.
Elasticsearch is no use to a user unless there is another system aggregating and processing the data first. This is why Logstash is included in SELKS. Logstash is an open-source, server-side data processing pipeline that can ingest data from multiple sources, transform it, and send it to be stored. It does this continuously and helps SELKS users maintain maximum real time visibility into their network data.
Kibana is the companion data searching, visualization, and dashboard tool for Elasticsearch. In SELKS, it comes preloaded with some custom dashboards, but users have the ability to create more that fit their specific needs. SELKS already displays the alerts from Suricata signatures and related network protocol logs, but Kibana allows users access to additional network security monitoring (NSM) data which is incredibly useful for investigation and reporting.
Together, Elasticsearch, Logstash, and Kibana form the ELK stack, which is a powerful open-source data management system widely used elsewhere in network security and other deployments.
Stamus Community Edition (Stamus CE)
Formerly known as "Scirius," Stamus CE is the primary user interface of SELKS, and with it all the previously mentioned applications can function under one platform. It also provides a number of additional features. With Stamus CE, a SELKS user can:
- manage Suricata rulesets and third-party threat intelligence
- upload and manage custom Suricata rules
- engage in proactive threat hunting using predefined filters
- view all protocol, file transactions and flow logs related to alerts generated by Suricata
While the ELK stack enables SELKS users to store and analyze log data, Arkime serves the same function for packet capture and analysis. Log data is great for incident response and triage, but packet data is valuable when it comes time to search for evidence or do a forensic investigation. With Arkime, SELKS is able to help users perform both tasks and creates a more complete Suricata-based network security solution.
EveBox provides users an additional interface for Suricata alert and event management. While Stamus Community Edition serves as the primary user interface, EveBox gives SELKS users an additional way to view Suricata events in Elasticsearch. It provides the user an “inbox” style approach to event management if that is their preference, an additional method of searching events.
CyberChef is known as “The Cyber Swiss Army Knife”. It includes various tools for analyzing and decoding data in an easy-to-use format. It gives SELKS users the ability to encode, decode, format, parse, encrypt, decrypt, compress, and extract data. Essentially, CyberChef enables the SELKS user to carry out over 300 different functions based on their needs. For a better look at some of its use cases, see the CyberChef GitHub page.
For the casual Suricata user, network security hobbyist, or small business, SELKS is a perfectly capable intrusion detection (IDS) and network security monitoring (NSM) system. It can provide valuable insights into network traffic and effective threat detection on a single Suricata sensor. To learn more about SELKS, visit this page from Stamus Networks.
If you are in the market for a more complete Suricata-based network security solution, then you might want to check out Stamus Security Platform, which provides even greater functionality than SELKS and was specifically designed for enterprise-level needs.