Suricata is a powerful open-source network security tool. One of its disadvantages, however, is its lack of a built-in web interface. While this decision was intentional to allow Suricata users to configure their Suricata deployment however they like, it does create a barrier to entry for some less technical users. Thankfully, solutions are available.
In this blog post, we will explore how SELKS by Stamus Networks offers a user-friendly web-based management system with Suricata at its core. We will also address some common questions surrounding Suricata’s deployment: is it network-based or host-based? And what’s the difference between its roles as an Intrusion Detection System (IDS) and an Intrusion Prevention System (IPS)?
No, Suricata itself does not have a built-in web interface. It's primarily a command-line tool with configuration files for customization. However, those desiring a web-based management experience to see Suricata dashboards should consider downloading SELKS by Stamus Networks.
SELKS is a turn-key Suricata-based IDS/NSM and threat-hunting system. It is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.
SELKS is comprised of the following major components:
In addition, SELKS also includes Arkime, EveBox, and CyberChef.
SELKS is an incredibly powerful and effective way to begin learning Suricata, and for many small-to-medium sized organizations, hobbyists, and educational settings SELKS functions as a production-grade NSM and IDS solution.
To download SELKS or learn more, please visit www.stamus-networks.com/selks
You can also download SELKS on GitHub at https://github.com/StamusNetworks/SELKS
Scirius, now known as Stamus CE, is a web interface designed specifically for managing Suricata rulesets and threat hunting developed by Stamus Networks. It's offered as an open-source application under the GNU GPLv3 license [1, 4].
Here's a breakdown of what Scirius (Stamus CE) can do:
Scirius (Stamus CE) acts as a central hub for managing Suricata's threat detection capabilities, allowing you to customize rules, hunt for threats, and gain insights into Suricata's performance.
It is included as the central GUI and Suricata manager in SELKS.
Suricata can be configured as a host-based IDS, but it is primarily a network-based intrusion detection system. This means that it is designed to monitor traffic across the entire network environment, rather than focusing on individual devices. SELKS by Stamus Networks uses Suricata in a network-based configuration.
There are three main reasons Suricata excels as a network-based IDS:
It is important to note that Suricata can technically be configured for a limited host-based IDS role in some scenarios. However, this is not its typical or recommended use for several reasons:
There are other host-based IDS options available that are specifically designed for this purpose and might be a better fit for individual device protection.
Depending on the Suricata installation, it can function as either an IDS or an IPS.
In its IDS mode, Suricata continuously monitors your network traffic for suspicious activity. It compares this traffic to a vast database of known threats and pre-defined rules. Users can also include new rule sets and create custom rules. If it detects a potential attack, like malware or a hacking attempt, Suricata issues an alert, allowing you to investigate and take action.
IDS monitoring is more passive than IPS. Suricata monitors the network traffic but does not intervene. This offers a valuable first line of defense, but some organizations might feel overwhelmed by the number of alerts and the presence of false positives, requiring human intervention to sort through alerts to find actual serious and imminent threats.
You can also configure Suricata as IPS. In IPS mode, it doesn't just detect threats, but it actively blocks them. By analyzing traffic patterns and comparing them to its rule set, Suricata can identify and stop malicious attempts before they infiltrate your system. This is a more active strategy than IDS, but false positives could lead to legitimate traffic being blocked due to poorly configured rules. Configuring Suricata as IPS while avoiding unintended consequences requires a deep understanding and expertise in network security.
To begin learning more about Suricata, we recommend downloading the open-source book published by Stamus Networks titled “The Security Analyst’s Guide to Suricata” — the first practical guide to threat detection and hunting using Suricata, the world’s most popular open-source network security engine.
Written for security operations center (SOC) analysts and threat hunters who use Suricata to gain insights into what is taking place on their networks, the book provides vital information on entry points and an in-depth analysis of the most important Suricata features.
To be notified of new blog posts and other news, make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.