Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/StamusNetworks/SELKS

A Suricata based IDS/IPS/NSM distro
https://github.com/StamusNetworks/SELKS

distribution gui ids ips linux management monitoring network network-intrusion-detection network-security security security-monitoring suricata threat-hunting user-interface

Last synced: about 2 months ago
JSON representation

A Suricata based IDS/IPS/NSM distro

Awesome Lists containing this project

README 

        
=====

SELKS

=====



Intro

=====



SELKS is a free and open source Debian-based IDS/IPS/Network Security Monitoring platform 

released under GPLv3 from Stamus Networks (https://www.stamus-networks.com/). 



SELKS can be installed via docker compose on any Linux or Windows OS. Once installed it is 

ready to use out of the box solution.



SELKS ISOs are also available for air gapped environment or bare metal or VM installation. 



.. image:: doc/images/Hunt-Filtersets-1.png

    :alt: SELKS 7

    :align: center



SELKS is comprised of the following major components:



* S - Suricata IDPS/NSM - https://suricata.io/

* E - Elasticsearch - https://www.elastic.co/products/elasticsearch

* L - Logstash - https://www.elastic.co/products/logstash

* K - Kibana - https://www.elastic.co/products/kibana

* S - Scirius - https://github.com/StamusNetworks/scirius

* EveBox - https://evebox.org/

* Arkime - https://arkime.com/

* CyberChef - https://github.com/gchq/CyberChef



The acronym was established before the addition of Arkime, EveBox and CyberChef.  



And it includes preconfigured dashboards like this one:



.. image:: doc/images/Overview-1.png

    :alt: Example view

    :align: center



What is SELKS

=============



Suricata

--------



SELKS is a showcase of what Suricata IDS/IPS/NSM can do and the network protocol monitoring logs and alerts it produces. As such any and all data in SELKS is generated by Suricata: 



.. image:: doc/images/Suricata-Generated-Eventsv2-source.webp

    :alt: Suricata

    :align: center



Threat Hunting

--------------



The usage of Suricata data is further enhanced by Stamus' developed Scirius, a threat hunting interface. The interface is specifically designed for Suricata events and combines a drill down approach to pivot for quick exploration of alerts and NSM events. It includes predefined hunting filters and enhanced contextual views:



.. image:: doc/images/Hunt-context-1.png

    :alt: Stamus

    :align: center



.. image:: doc/images/Hunt-Context-2.png

    :alt: Stamus

    :align: center



Logs

----



An example subset (not complete) of raw JSON logs generated by Suricata `can be found here `_. 



Information

-----------



If you are a new to Suricata, you can read a series of articles we wrote about `The other side of Suricata `_.



Dashboards

----------



SELKS has by default over 28 default dashboards, more than 400 visualizations and 24 predefined searches available.



Here is an extract of the dashboards list: SN-ALERTS, SN-ALL, SN-ANOMALY, SN-DHCP, SN-DNS, SN-DNP3, SN-FILE-Transactions, SN-FLOW, SN-HTTP, SN-HUNT-1, SN-IDS, SN-IKEv2, SN-KRB5, SN-MQTT, SN-NFS, SN-OVERVIEW, SN-RDP, SN-RFB, SN-SANS-MTA-Training, SN-SIP, SN-SMB, SN-SMTP, SN-SNMP, SN-SSH, SN-STATS, SN-TLS, SN-VLAN, SN-TFTP, SN-TrafficID



Additional visualizations and dashboards are also available in the ``Events viewer`` (EveBox).



Getting SELKS

=============



Prerequisites

-------------



The minimal configuration for production usage is 2 cores and 9 Gb of memory. As Suricata

and Elastisearch are multithreaded, the more cores you have the better it is.

Regarding memory, the more traffic to monitor you have, the more getting some extra memory will be interesting.



Docker

------



You can spin up SELKS on any Linux or Windows OSes in minutes via docker compose. See `Docker Installation `_.



ISO

---



For air gapped environement or full OS installation, see `SELKS ISO Setup `_.

 

Usage and logon credentials

===========================



You need to authenticate to access to the web interface(see the ``HTTPS access`` section below ). The default user/password is ``selks-user/selks-user`` (including through the Dashboards or Scirius desktop icons).

You can change credentials and user settings by using the top left menu in Scirius.  



For the ISO users

-----------------



Default OS user:



* user: ``selks-user``

* password: ``selks-user`` (password in Live mode is ``live``)



The default root password is ``StamusNetworks``



HTTPS access

============



If you wish to remotely (from a different PC on your network) access the 

dashboards you could do that as follows (in your browser):



* https://your.selks.IP.here/ - Scirius ruleset management and a central point for all dashboards and EveBox



You need to authenticate to access to the web interface. The default user/password is the

same as for local access: ``selks-user/selks-user``. Don't forget to change credentials at first

login. You can do that by going to ``Account settings`` in the top left dropdown menu of

Scirius.



Getting help

============



You can get more information on SELKS wiki: https://github.com/StamusNetworks/SELKS/wiki



You can get help about SELKS on our Discord channel https://discord.gg/h5mEdCewvn



If you encounter a problem, you can open a ticket on https://github.com/StamusNetworks/SELKS/issues



Enterprise scale Deployments

============================



While SELKS is suitable as a production network security solution in small to medium sized organizations and is a great system to test out the power of Suricata for intrusion detection and threat hunting, it was never designed to be deployed in an enterprise setting. For enterprise applications, please review our commercial solution, Stamus Security Platform (SSP).



Stamus Security Platform (Commercial Solution)

==============================================

Stamus Security Platform (SSP) is the commercial network-based threat detection and response solution from Stamus Networks. While it retains much of the same look and feel as SELKS, SSP is a completely different system and requires a new software installation.



Available in two license tiers, SSP delivers:



Broad-Spectrum Threat Detection

-------------------------------

* Multiple detection mechanisms from machine learning, anomaly detection, and signatures

* High-fidelity “Declarations of Compromise” with multi-stage attack timeline

* Weekly threat intelligence updates from Stamus Labs



Guided Threat Hunting and Incident Investigation

------------------------------------------------

* Advanced guided threat hunting filters

* Host insights tracks over 60 security-related attributes

* Easily convert hunt results into custom detection logic

* Explainable and transparent results with evidence



Enterprise Scale Management and Integration

-------------------------------------------

* Automated classification and alert triage

* Management of multiple probes from single console

* Seamless integration with SOAR, SIEM, XDR, EDR, IR

* Multi-tenant operation

* Configuration backup and restoration 



More Information about SSP

==========================



Visit `this page to request a demo of SSP `_



To learn more about the differences between SELKS and our commercial solutions, please read through "*Understanding SELKS and Stamus Commercial Platforms*" `Download the white paper here. `_