<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

What is SELKS?

SELKS is a free, open-source, and turn-key Suricata network intrusion detection/protection system (IDS/IPS), network security monitoring (NSM) and threat hunting implementation created and maintained by Stamus Networks.

 

Released under GPLv3 license, the live distribution is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.

 

Read the press release detailing the about the latest version of SELKS - SELKS 7 >>

SELKS_May2020_SCE+STH

Why is it called SELKS?

SELKS is comprised of the following major components:

  • Suricata - Ready to use Suricata 
  • Elasticsearch - Search engine 
  • Logstash - Log injection 
  • Kibana - Custom dashboards and event exploration 
  • Scirius CE - Suricata ruleset management and Suricata threat hunting interface

 

In addition, SELKS now includes Arkime, EveBox and CyberChef.

What is Scirius CE?

Scirius CE is the Stamus Networks open-source application that brings all these components together. Scirius provides the web interface for the entire system, giving you the ability to:

 

  • Manage multiple Suricata rulesets and threat intelligence sources 
  • Upload and manage custom Suricata rules and IoC data files 
  • Hunt for threats using predefined filters and enhanced contextual views
  • Apply thresholding and suppression to limit verbosity of noisy alerts
  • View Suricata performance statistics and information about Suricata rule activity
  • Apply Kibana, EveBox, and Cyberchef to the Suricata NSM and alert data

Who is SELKS for?

For many small-to-medium sized organizations, SELKS can be a suitable production-grade network security monitoring (NSM) and intrusion detection (IDS) solution.

And because all the data available in SELKS is generated by the Suricata engine, SELKS is widely used by network security practitioners, educators, and hobbyists to explore what is possible with Suricata IDS/IPS/NSM and the network protocol monitoring logs and alerts it produces. 

 

For enterprise scale applications, please review our commercial solution, Stamus Security Platform (SSP), described below.

 

Download SELKS

SELKS Docker Compose Package

Use the Docker Compose package to install SELKS in any LINUX environment and ensure you are including the very latest containers, including Evebox and Suricata.

 

Get SELKS on Docker

Complete Image with Desktop

Use the image with Desktop when you want a turnkey installation that includes the Debian Linux desktop environment. Can be deployed on bare metal hardware or VM.

 

SELKS 7 ISO with Desktop

Complete Image without Desktop

Use the image without Desktop when you want a turnkey SELKS installation in a headless environment. Can be deployed on bare metal hardware or VM.

 

SELKS 7 ISO without Desktop

Report Issues and Get SELKS Support

To access README documentation, issues tracker and the SELKS wiki, please visit our GitHub page here >>

To ask questions or ask for help, join our Discord server here >> Discord Logo (black) PNG-1

 

What About Enterprise Scale Deployments?

While SELKS is a great system to test out the power of Suricata for intrusion detection and threat hunting, it was never designed to be deployed in an enterprise setting. For enterprise applications, please review our commercial solution, Stamus Security Platform.

 

To learn more about the differences between SELKS and our commercial solutions, download the white paper, Understanding SELKS and Stamus Commercial Platforms. 

Download the White Paper Now

Stamus_WP_Thumb_SSP-SELKS

What is Stamus Security Platform?

Stamus Security Platform (SSP) is the commercial network-based threat detection and response solution from Stamus Networks. While it retains much of the same look and feel as SELKS, SSP is a completely different system and requires a new software installation.

 

Available in two license tiers, SSP delivers:

 

Broad-Spectrum Threat Detection

  • Multiple detection mechanisms from machine learning, anomaly detection, and signatures
  • High-fidelity Declarations of Compromise with multi-stage attack timeline
  • Weekly threat intelligence updates from Stamus Labs

 

Guided Threat Hunting and Incident Investigation

  • Advanced guided threat hunting filters
  • Host insights tracks over 60 security-related attributes
  • Easily convert hunt results into custom detection logic
  • Explainable and transparent results with evidence

 

Enterprise Scale Management and Integration

  • Automated classification and alert triage
  • Management of multiple probes from single console
  • Seamless integration with SOAR, SEIM, XDR, EDR, IR
  • Multi-tenant operation
  • Configuration backup and restoration

Request a Demo

See the table below for a summary comparison between SELKS and the Stamus Networks commercial offerings.

Feature (partial list) SELKS Stamus Security Platform (Stamus ND) Stamus Security Platform (Stamus NDR)
IDS administration for one probe X X X
IDS ruleset management for one ruleset X X X
Basic threat hunting on IDS events X X X
Real-time network traffic analysis X X X
IDS administration for multiple probes X X
IDS ruleset management for multiple rulesets X X
Multiple Stamus Networks probes and/or Suricata sensors X X
Automated health and wellness monitoring X X
Automated application and OS updates X X
Unified network threat hunting tool X X
Guided hunting that drives detection X X
Real-time correlation of IDS events, network traffic analysis and organizational data X X
Automated event classification and advanced tagging X X
Network definitions - allows the user to label certain networks or IPs with organizationally-relevant names which SSP uses to enrich event data X X
Enriched data provides context and increase network visibility X X
Unique metadata for perspective and investigation X X
Metadata integration with SIEM, SOAR, and data lakes X X
Declarations of Compromise - high confidence events mapped into the cyber kill chain X
Webhooks integration of Declarations of Compromise into SOAR, XDR, EDR or channel-based messaging app X
Protocol transaction-based (non-signature) advanced threat detection X
Sightings - events generated when a host accesses a new destination (domain or IP) for the first time X
Beacon detection using machine learning X
User-defined algorithms to trigger Declarations of Compromise specific to your environment X
Host Insights - details network services, user agents, host name, logged-in users and all activity associated with every host X
Stamus Networks proprietary threat intelligence feed (updated daily) X

Additional Resources

Stamus_TB_Thumb_SuperSuri-1

Tech Brief: Supercharge Suricata Sensors with Stamus Security Platform

Download
Stamus_WP_Thumb_ScaleSuri

White Paper: Scaling Suricata for Enterprise Deployment

Download
SpinUpSELKS-2Min-A

Blog: Spin up Suricata in 10 Minutes

Read More