• Sun. May 19th, 2024

CyberWriteUps

CREATE – HACK – DEFEND

SELKS

SELKS consist of an open-source stack. This stack includes the following independent tools that work together forming SELKS:

Suricata – Open-Source IDS/IPS/NMS – Provides threat detection based on signatures using Suricata rulesets.

Elasticsearch – Open-source tools that allows for indexing of data and extensive searching capabilities.

Logstash – Open-source log shipper. Logstash ingests the suricate json eve.json file , filters the data based on custom filters and “ships” this data to Elasticsearch

Kibana – Open-Source dashboard management tool. Kibana provides the capability of searching Suricata alerts, creating custom dashboards and visualizing all the data gathered from Suricata.

Scirius – Open-source Suricata rule management. Scirius was built to provide an easier way to manage Suricata rulesets using a web-based GUI instead of the linux based command line.  Scirius provides a dashboard of alert trends based on specific timeframes as well as visual status of Suricata, Elasticsearch, disk and memory statistics.  Scirius is also centralized login for Kibana, Evebox, Cyberchef, Arkime and Suricata threat hunting. with a switcher app menu for easy navigation between portals.

Evebox – Open-source web portal for event management. Evebox provides a line-by-line view of Suricata alerts and events. Suricata can be tuned to report all network traffic, this traffic can be seen based on timestamp in Evebox. Evebox allows is network traffic correlation when alerts are detected flow IDs.

Arkime – Open-source full packet analysis. Arkime can be used in large scale and provide full packet capturing, indexing and database system. Arkime provides many features threat hunting tools, endpoint connection diagrams and stats.

CyberChef – Open-source all in one cybersecurity tool. CyberChef is a web-based tool that can provide various tools for security analyst include decoding base64.

Suricata Threat Hunting – Open-source threat hunting tool built within Scirius. This tool allows pulls data form alerts and provide a correlation of the data along with hit counts. Data can be filtered by the following:

  • IP address
  • Probe
  • Message
  • Not in Message
  • Port
  • Signature ID
  • ES Filter
  • Protocols

Note that the SELKS acronym was established before the addition of Evebox, Arkime and CyberChef.

SELKS provides the capability to detect cybersecurity attacks in real time and triage the attacks accordingly. SELKS has also been able to meet the compliance requirements imposed by FERPA and PCI DSS regulations.