SELKS™ is a free, open-source, and turn-key Suricata network intrusion detection/protection system (IDS/IPS), network security monitoring (NSM) and threat hunting implementation created and maintained by Stamus Networks.
Released under GPL 3.0-or-later license, the live distribution is available as either a live and installable Debian-based ISO or via Docker compose on any Linux operating system.
What is SELKS? As a reminder, SELKS is free, open-source, and turn-key Suricata network intrusion detection/protection system (IDS/IPS), network security monitoring (NSM), and threat-hunting implementation. Released under the GPLv3 license, SELKS is the perfect solution for small to medium-sized organizations, home network defenders looking for a capable and effective IDS and NSM system, or security practitioners looking to experiment with Suricata.
Additionally, SELKS 10 utilizes functionality from Arkime, Evebox, and CyberChef, although those components were included after the “SELKS” acronym was established.
What’s new in SELKS 10? There are four major updates to the SELKS system for version 10, and each one brings new benefits to users:
1. Conditional packet capture
SELKS users can now capture selected packets (PCAP) associated with detection events and then export those packets from the hunting interface. These PCAP files include the full session that triggered the detection in question. All PCAPs are de-duplicated, stored only once on the sensor, and made available for download as evidence or for playback into SELKS or third-party tools such as Wireshark.
The benefit of conditional packet capture is that it gives users access to critical network forensic data to be used for investigation, training, or threat intelligence sharing without dedicating the substantial storage resources needed for full-time packet capture.
2. User interface harmonized with Stamus Security Platform
Perhaps one of the biggest changes to SELKS 10 is an updated user interface in-line with the Stamus Security Platform (SSP). The user interface (Stamus Community Edition or “Scirius”) now incorporates several of the latest capabilities of our commercial platform. Stamus CE is the first OSS GUI developed and dedicated specifically for Suricata and its data, and it now includes a more powerful and integrated hunting console, the ability to export evidence and artifacts, and additional pre-defined threat-hunting filters.
This simplified user experience delivers consolidated threat detection, hunting, and evidence viewing and provides users with a streamlined way to zoom in and out of the data for rapid insights from millions of network security events.
3. Upgrade to Arkime version 5.0
SELKS 10 adds the latest capabilities of Arkime - bulk search, improved session detail display, unified configs, unified authentication, additional multiviewer support, and offline PCAP retrieval improvements. Arkime augments Suricata's conditional packet capture to store and index network traffic in standard PCAP format.
4. Switch to PostgreSQL database
SELKS 10 is now using a PostgreSQL database instead of SQLite to fix some issues, augment capabilities, improve scalability, and prepare for future evolution.