SELKS: 10 Years of Open-Source Network Defense

This month, we celebrate the 10th anniversary of SELKS, Stamus Networks’ open-source Suricata-based network intrusion detection/prevention system (IDS/IPS), network security monitoring (NSM), and threat hunting implementation. In the last decade, SELKS has come a long way. From its humble beginnings as a relatively simple network security tool to the upcoming release of SELKS 10, SELKS has remained a very popular solution for open-source enthusiasts, home network hobbyists, students, and small businesses looking for a free but effective network security solution. As we celebrate 10 years of SELKS, let’s take a look at where we’ve come from and where SELKS is heading.

What is SELKS?

For those uninitiated in the way of SELKS, let’s first review what SELKS is.

SELKS was named after its essential five parts:

Suricata
Elasticsearch
Logstash
Kibana
Stamus Community Edition (formerly known as Scirius)

Additionally, SELKS now includes Arkime, EveBox, and CyberChef which were added after the name was created (more on that later).

These components come together to create a highly capable turn-key intrusion detection/prevention system (IDS/IPS), network security monitoring system (NSM), and threat-hunting implementation.

The early days of SELKS

SELKS was originally developed out of the desire to create a more complete Suricata package. By taking the native IDS and NSM capabilities of Suricata and combining it with the popular ELK stack for analytics, data ingestion, and visualization and the Scirius (now Stamus C.E.) web interface for Suricata rule management and threat hunting, SELKS became an enterprise-grade network security solution rooted in open-source fundamentals. The very first stable release, SELKS 1.0, became available in October of 2014. This release came with improvements to the beta version, including:

New Stamus Networks package repositories developed especially for SELKS
9 ready-to-use IDS/IPS dashboards
Over 150 fields to search, select, filter, and easily analyze
Fully enabled logging
Suricata version 2.1beta1
Scirius version 0.8

If you began using SELKS later on, then you might not be aware of just how different SELKS 1.0 looked from the more recent releases.

For example, here is an image from Scirius v0.8 in SELKS v1.0 compared to two recent images from the new SELKS 10 user interface. The new Stamus Community Edition Open Source GUI is specifically developed to make use of all the data produced by Suricata and is an all in one interface view for alerts, protocols, file transaction, anomaly and flow logs, full session PCAP and signature information. As you can see in the images below, this is a major improvement from the early days of SELKS and Scirius

Scirius v0.8:

SELKS 10:

While the SELKS 1.0 release certainly achieved the goal of providing enterprise-level IDS/NSM functionality without an enterprise-level price tag, there was still a lot of work to be done to make it the widely used open-source tool that it is today. Let’s take a look at a timeline of major SELKS changes over the years:

SELKS through the years

April 2014 - SELKS Beta is released.

October 2014 - SELKS 1.0 released to the public.

April 2015 - SELKS 2.0 Beta 1 releases, updated for Debian Jessie for better hardware compatibility, new kernel (3.16), and performance improvements.

April 2015 - Scirius 1.0 releases, the first stable release of a web interface for Suricata ruleset management. This is the first ever example of a dedicated web-based ruleset manager for Suricata.

May 2015 - The stable version of SELKS 2.0 is released, including updates to Debian Jessie, Elasticsearch 1.5, and the new Scirius 1.0.

April 2016 - SELKS 3.0RC1 becomes available, bringing updates to all components of SELKS. It also now includes Evebox for alert management, viewing, and reports as well as the capability to create and export pcap generated from events.

March 2017 - Scirius 1.2.0 gives users the ability to transform rules for IPS management and user activity logs for easier collaboration.

July 2017 - SELKS 4.0 releases with updates to all components and a transition from Debian Jessie to Debian Stretch.

March 2018 - Scirius 2.0 brings a new user interface and features like lateral movement and target transformations, making SELKS even more capable for enterprise-grade applications. Scirius 2.0 also includes an initial REST API to enable outside integrations.

December 2018 - SELKS 5.0 brings a brand new threat hunting interface and includes CyberChef by way of Moloch and Moloch viewer. Perhaps the most exciting update to SELKS 5 results from the inclusion of Suricata 4.1, which enables full packet capture on SELKS and RUST for new protocols and file extraction options.

June 2020 - SELKS 6.0 releases in the midst of COVID-19 with an improved graphical Suricata hunting interface and 26 new/upgraded Kibana dashboards with hundreds of visualizations that correlate alert events to network security monitoring (NSM) data and vice versa.

August 2021 - A new docker-based SELKS architecture update enables SELKS to be installed on virtually any linux system, without requiring a heavy installation process. This made the SELKS OS into a much more portable and platform-agnostic solution.

May 2022 - SELKS 7.0 releases, the biggest architectural overhaul to the SELKS platform to date. In addition to running on Docker, SELKS 7 included updated network threat hunting tools, new dashboards and reporting capabilities, new integrations, new features for ruleset and threat intel management, and system monitoring capabilities. SELKS 7.0 also had the most updated, modern user interface. This release also marked the name change from Scirius to Stamus Community Edition (C.E.), although that change is not reflected in GitHub.

In celebration of 10 years of SELKS, the creators have reflected back on the early days and look ahead to see where SELKS is heading next:

SELKS 10: The Next Big Leap for SELKS

Now, as we celebrate the 10-year anniversary of SELKS, we are excited to soon introduce the next big update – SELKS 10 – to the world. This new release will bring conditional packet capture, an updated UI in line with our commercial product the Stamus Security Platform, a new version of Arkime, and several bug fixes.

SELKS 10 will be the most powerful version of SELKS yet, and we are just getting started. We will be sharing more information on SELKS 10 very soon, so make sure to subscribe to the Stamus Networks blog and keep an eye out for updates regarding the upcoming release.

In addition to our activity on the SELKS GitHub, Stamus Networks also maintains a SELKS Discord server. To ask SELKS related questions, get help, or join the wider SELKS community, join the discord here.

Stamus Network’s is a proud open-source contributor, and our open-source software and threat research team spend a significant amount of time developing numerous other projects every year. To learn more about our other open-source contributions, visit Stamus Labs or click on one of the links below:

To stay updated with new blog posts from Stamus Networks, also make sure to subscribe to the Stamus Networks blog, follow us on Twitter, LinkedIn, and Facebook, or join our Discord.