Summary: This content discusses SELKS, a free and open-source solution for network intrusion detection and protection, network security monitoring, and threat hunting.
Threat Actor: N/A
Victim: N/A
Key Point :
- SELKS is a turnkey solution developed by Stamus Networks for small and medium-sized organizations to protect their networks and secure their business.
- It is popular among network security practitioners for its capabilities in analyzing network protocol monitoring logs and alerts generated by the Suricata IDS/IPS/NSM engine.
- SELKS comes with over 28 default dashboards, more than 400 visualizations, and 24 predefined searches.
- The future plans for SELKS include expanding the community and interaction and making it cloud-native.
SELKS is a free, open-source, turnkey solution for Suricata-based network intrusion detection and protection (IDS/IPS), network security monitoring (NSM), and threat hunting. The project is developed and maintained by Stamus Networks.
SELKS is an effective production-grade solution for many small and medium-sized organizations. Since all the data in SELKS is generated by the Suricata engine, it is popular among network security practitioners who explore the capabilities of Suricata IDS/IPS/NSM and analyze the network protocol monitoring logs and alerts it generates.
By default, SELKS has over 28 default dashboards, more than 400 visualizations, and 24 predefined searches available.
“We developed SELKS 10 years ago because we felt organizations without enterprise-level budgets and resources also needed the opportunity to protect their networks and secure their business. Our plans are to expand the community and interaction and make it cloud-native,” Peter Manev, Chief Strategy Officer, Stamus Networks, told Help Net Security.
SELKS 10 features
SELKS 10 was recently released, key enhancements include:
Conditional packet capture
SELKS users can now capture selected packets (PCAP) associated with detection events and then export those packets from the hunting interface. These PCAP files include the full session that triggered the detection in question. All PCAPs are de-duplicated, stored only once on the sensor, and made available for download as evidence or for playback into SELKS or third-party tools such as Wireshark.
This is so important because it gives users access to critical network forensic data to be used for investigation, training, or threat intelligence sharing without dedicating the substantial storage resources needed for full-time packet capture.
Arkime version 5.0 features
SELKS 10 adds the latest capabilities of Arkime – bulk search, improved session detail display, unified configs, unified authentication, additional multiviewer support, and offline PCAP retrieval improvements. Arkime augments Suricata’s conditional packet capture to store and index network traffic in standard PCAP format.
PostgreSQL database
SELKS 10 is now using a PostgreSQL database instead of SQLite to fix some issues, augment capabilities, improve scalability, and prepare for future evolution.
Future plans and download
SELKS is readily accessible, available for free on GitHub as a live and installable Debian-based ISO or via Docker. It’s designed to be compatible with any Linux operating system.
The minimal configuration for production usage is two cores and 9 GB of memory. Since both Suricata and Elasticsearch are multithreaded, having more cores is beneficial.
Must read:
“An interesting youtube video that may be related to the article above”