universalbit-dev / selks Goto Github PK

• Support UniversalBit Project
• Disambiguation

SELKS is a free and open source Debian-based IDS/IPS/Network Security Monitoring platform released under GPLv3 from Stamus Networks.

SELKS is a showcase of what Suricata IDS/IPS/NSM can do and the network protocol monitoring logs and alerts it produces. As such any and all data in SELKS is generated by Suricata:

required

docker installation

• prepare environment

# Add Docker's official GPG key:
sudo apt-get update
sudo apt-get install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
  $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | \
  sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
sudo apt-get update

• run apt installer:

sudo apt-get install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

• SELKS installation

git clone https://github.com/StamusNetworks/SELKS.git
cd SELKS/docker/
./easy-setup.sh
sudo -E docker compose up -d

SELKS can be installed via docker compose on any Linux or Windows OS. Once installed it is ready to use out of the box solution.

• Suricata IDPS/NSM
• Elasticsearch
• Logstash
• Kibana
• Scirius
• EveBox
• Arkime
• CyberChef

The acronym was established before the addition of Arkime, EveBox and CyberChef.

And it includes preconfigured dashboards like this one:

• Docker
• AttackDetection
• Snort
• Sslbl
• Proofpoint
• Etnetera
• Hunting-Rules

200GB+ SSD grade is recommended.

The usage of Suricata data is further enhanced by Stamus' developed Scirius, a threat hunting interface. The interface is specifically designed for Suricata events and combines a drill down approach to pivot for quick exploration of alerts and NSM events. It includes predefined hunting filters and enhanced contextual views:

An example subset (not complete) of raw JSON logs generated by Suricata.

If you are a new to Suricata, you can read a series of articles we wrote about `The other side of Suricata.

Here is an extract of the dashboards list: SN-ALERTS, SN-ALL, SN-ANOMALY, SN-DHCP, SN-DNS, SN-DNP3, SN-FILE-Transactions, SN-FLOW, SN-HTTP, SN-HUNT-1, SN-IDS, SN-IKEv2, SN-KRB5, SN-MQTT, SN-NFS, SN-OVERVIEW, SN-RDP, SN-RFB, SN-SANS-MTA-Training, SN-SIP, SN-SMB, SN-SMTP, SN-SNMP, SN-SSH, SN-STATS, SN-TLS, SN-VLAN, SN-TFTP, SN-TrafficID

Additional visualizations and dashboards are also available in the Events viewer

• EveBox

You need to authenticate to access to the web interface(see the HTTPS access section below ).

You can change credentials and user settings by using the top left menu in Scirius.

If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):

• https://your.selks.IP.here/ - Scirius ruleset management and a central point for all dashboards and EveBox

You need to authenticate to access to the web interface.

• The default user/password is the same as for local access: selks-user/selks-user. Don't forget to change credentials at first login. You can do that by going to Account settings in the top left dropdown menu of Scirius.

You can get more information on SELKS wiki

You can get help about SELKS on our Discord channel

If you encounter a problem, you can open a issue

• Multiple detection mechanisms from machine learning, anomaly detection, and signatures
• High-fidelity “Declarations of Compromise” with multi-stage attack timeline
• Weekly threat intelligence updates from Stamus Labs

• Advanced guided threat hunting filters
• Host insights tracks over 60 security-related attributes
• Easily convert hunt results into custom detection logic
• Explainable and transparent results with evidence

• Automated classification and alert triage
• Management of multiple probes from single console
• Seamless integration with SOAR, SIEM, XDR, EDR, IR
• Multi-tenant Cloud
• Configuration backup and restoration

• Schedule a live demo