Stamus Networks is pleased to announce the release and availability of SELKS 10, the newest version of the popular Suricata-based IDS, NSM, and threat-hunting platform. This release marks the 10th anniversary of SELKS, which explains the jump from SELKS 7 to SELKS 10. To learn more about how SELKS has changed over the last 10 years, read our blog “SELKS: 10 Years of Open-Source Network Defense''.
SELKS 10 is the most powerful version of SELKS yet, and we are only getting started. Read on to discover what’s new in this release, and as always, thank you for your continued support of our open-source work.
What is SELKS?
As a reminder, SELKS is free, open-source, and turn-key Suricata network intrusion detection/protection system (IDS/IPS), network security monitoring (NSM), and threat-hunting implementation. Released under the GPLv3 license, SELKS is the perfect solution for small to medium-sized organizations, home network defenders looking for a capable and effective IDS and NSM system, or security practitioners looking to experiment with Suricata.
SELKS 10 includes 8 key components:
SELKS 10 is built on eight key components:
- Suricata - Ready to use Suricata
- Elasticsearch - Search engine
- Logstash - Log injection
- Kibana - Custom dashboards and event exploration
- Stamus C.E. (formerly Scirius) - Suricata ruleset management and Suricata threat hunting interface
Additionally, SELKS 10 utilizes functionality from Arkime, Evebox, and CyberChef, although those components were included after the “SELKS” acronym was established.
What’s new in SELKS 10?
There are four major updates to the SELKS system for version 10, and each one brings new benefits to users:
- 1. Conditional packet capture
SELKS users can now capture selected packets (PCAP) associated with detection events and then export those packets from the hunting interface. These PCAP files include the full session that triggered the detection in question. All PCAPs are de-duplicated, stored only once on the sensor, and made available for download as evidence or for playback into SELKS or third-party tools such as Wireshark.
The benefit of conditional packet capture is that it gives users access to critical network forensic data to be used for investigation, training, or threat intelligence sharing without dedicating the substantial storage resources needed for full-time packet capture.
- 2. User interface harmonized with Stamus Security Platform
Perhaps one of the biggest changes to SELKS 10 is an updated user interface in-line with the Stamus Security Platform (SSP). The user interface (Stamus Community Edition or “Scirius”) now incorporates several of the latest capabilities of our commercial platform. Stamus CE is the first OSS GUI developed and dedicated specifically for Suricata and its data, and it now includes a more powerful and integrated hunting console, the ability to export evidence and artifacts, and additional pre-defined threat-hunting filters.
This simplified user experience delivers consolidated threat detection, hunting, and evidence viewing and provides users with a streamlined way to zoom in and out of the data for rapid insights from millions of network security events.
New SELKS 10 hunting dashboard view:
hunting dashboard view on a single event:
Hunting dashboard with filter applied:
- 3. Upgrade to Arkime version 5.0
SELKS 10 adds the latest capabilities of Arkime - bulk search, improved session detail display, unified configs, unified authentication, additional multiviewer support, and offline PCAP retrieval improvements. Arkime augments Suricata's conditional packet capture to store and index network traffic in standard PCAP format.
- 4. Switch to PostgreSQL database
SELKS 10 is now using a PostgreSQL database instead of SQLite to fix some issues, augment capabilities, improve scalability, and prepare for future evolution.
Download SELKS 10
SELKS 10 can be obtained either from the Stamus Networks SELKS homepage or from the SELKS GitHub.
Users have three options:
- SELKS Docker Compose Package - Use the Docker Compose package to install SELKS in any LINUX environment and ensure you are including the very latest containers, including Evebox and Suricata.
- Complete Image (ISO) with Desktop - Use the image with Desktop when you want a turnkey installation that includes the Debian x64 12 (Bookworm) Linux desktop environment. Can be deployed on bare metal hardware or VM.
- Complete Image (ISO) without Desktop - Use the image without Desktop when you want a turnkey SELKS installation in a headless environment (based on Debian 12 Bookworm). Can be deployed on bare metal hardware or VM.
Upgrade from previous version of SELKS
To upgrade the docker compose installation to the latest version of SELKS, follow the instructions here: https://github.com/StamusNetworks/SELKS/wiki/Docker#upgrade-all-containers.
We hope you enjoy SELKS 10, the most advanced SELKS system to date. As always, we encourage users to join the conversation over on our Discord. To stay updated with new blog posts and other news from Stamus Networks, also make sure to subscribe to the Stamus Networks Blog and the Stamus Spotlight Newsletter, and follow us on Twitter, LinkedIn, and Facebook.