SELKS 6 is out!
If you are still teleworking, you may wish to test and deploy this new edition to monitor the traffic in your home office. SELKS comes as a ready-to-use Suricata engine and web interface for management and data exploration.
SELKS is an open source project. As such, we would like to say a big “thank you” to all in our community for your support, your contributions, and your feedback!
Special thanks to github contributors:
SELKS is a turnkey Suricata-based ecosystem with its own graphic rule manager and basic threat hunting capabilities. SELKS is a Debian-based live distribution built from 5 key open source components that comprise its name – Suricata, Elasticsearch, Logstash, Kibana and Stamus Scirius Community Edition (Suricata Management and Suricata Hunting). In addition, it includes components from Moloch and Evebox, which were added after the acronym was established.
SELKS gives you a Suricata intrusion detection and prevention (IDS/IPS) system within a network security monitoring (NSM) platform, Kibana to analyze alerts and events, EveBox to correlate flows, archive/comment on events, reporting and pcap download. Your user interface is the Scirius Community Edition which allows you to configure and manage the Suricata ruleset and perform basic threat hunting.
SELKS is released under GPLv3 license.
Figure 1. SELKS deployment example
SELKS is a showcase for the OISF Suricata project. Any and all data displayed on the tools and dashboard visualizations are generated entirely by the Suricata engine. SELKS users will find that the system can provide valuable insights from security events enriched by valuable metadata context contained in Suricata alerts and protocol event logging generated by Suricata. Indeed, the Suricata engine is an excellent foundation for a Network Detection and Response (NDR) solution, and SELKS provides an open source demonstration of that.
This latest edition of SELKS contains a number of new capabilities, including:
What follows is a short screenshot view of several new additions to threat hunting and Kibana dashboards functionality for events such as: alerts, TLS/JA3/JA3S logs, HTTP logs, anomalies detection and correlation.
The improved graphical “Suricata Hunting” user interface includes drill down and filter features that allow the user to quickly and easily navigate the Suricata alert data and protocol events.
As with earlier versions of SELKS, the “Suricata Management” interface includes ruleset management and administration or the Suricata sensor. With a single click, the user has access to all of the free and open rulesets available for Suricata.
While Suricata alerts contain basic information such as alert payload, the real magic in these event records is the network metadata that is captured at the time of the event and used to enrich the basic security event. For example, an alert on HTTP protocol will also feature crucial meta-information such as:
Figure 2. SELKS "Suricata Hunting" examples
Figure 3. SELKS "Suricata Hunting" examples
But Suricata not only generates alerts. It also - by default - provides a detailed log of every protocol transaction. And by pivoting on the flow id, the analyst is able to gather more context about an alert event - and ultimately gain more insight into what’s really going on.
Figure 4. SELKS "Suricata Hunting" examples
In fact, this protocol logging and network security monitoring capability can provide the user with enough additional information that you can eliminate the need for a solution like Zeek for most protocols (in cases where no Zeek scripting is required).
The SELKS interface also comes with a number of ready-to-use Hunting filter sets (pre-defined by Stamus Networks) that you may apply to alert metadata that allow rapid focus on potentially meaningful events:
Figure 5. Pre-defined filter set examples
Of course, you can also create your own filter sets and share with the community :)
SELKS 6 includes twenty-six (26) new or upgraded Kibana dashboards and hundreds of visualizations that correlate alert events to network security monitoring (NSM) data and vice versa. These are listed below:
SELKS 6 is built on the most-recent available version Suricata, and it benefits from one of its newest features -- application layer anomalies. This capability allows SELKS to detect and expose application layer anomalies without using an IDS signature:
Figures 6 and 7. Suricata anomaly event type
Below you can see the new SELKS alert dashboard:
Figure 8. SELKS alert dashboard.
Because Suricata includes extensive network security monitoring (NSM) capability, it can log and document TLS (and many other) events on the network.
Figures 9 and 10. TLS protocol display.
Suricata can by default analyze and produce JA3/JA3S records on encrypted traffic which makes it possible to effectively hunt even within encrypted traffic.
Figure 11. JA3/JA3S record display.
Here is an example of how SELKS displays HTTP protocol info, broken down by events, user agents etc.
Figures 12. HTTP protocol information display.
In addition to all the functionality upgrades listed above, SELKS 6 contains updated versions of each component. These include ELK stack (7.7.0), Suricata (6.0.0-dev), Debian (Buster), EveBox (1:0.11.1), Moloch (2.2.3), and Scirius Community Edition (3.5.0).
If you are interested to learn more about threat hunting with encrypted traffic using Suricata/SELKS, we recommend you check out this recent (May 2020) OISF webinar, entitled “Suricata Threat hunting with encrypted traffic”: https://www.youtube.com/watch?v=3GcIfJI0ygg
Visit this SELKS webpage to download SELKS 6, pick one of the two flavors:
Sha256sum: 1d901e039d79748aa2781ff9d19f2265cb47aef504f099dbdac8d8f40ebc44cb
Sha256sum: 23c160ea5d16586fb07d23b32d01b645f7d5d77083245b68a9138e0f088491d8
You can find the first time setup instructions on our SELKS 6.0 wiki page.
SELKS 5 users can upgrade their running systems using the following Upgrade instructions.
As always, we would greatly appreciate any feedback you might have. :)
Give us feedback and get help on:
While this test upgrade/installation has been verified and tested, please be sure you try it in your test/QA set up before deploying in a production environment.
Thank you!