• Sun. Dec 22nd, 2024

CyberWriteUps

CREATE – HACK – DEFEND

SELKS

SELKS does not take much to get going. StamusNetworks suggest that 2 cores and 9GB of memory is all that is needed to get started.

What I have deployed

I am using a old dell optiplex 9020. If you haven’t checked out my lab intro blog, please look it over and I explain more on what to expect when finding one of these systems.

I did beef my 9020 up a bit with 32 gb of ram(max RAM motherboard will take), intel i7 and 2tb of HDD for log space. I run the OS on a 500gb SD. I also added two NICs, which will be needed or you can get by with just using motherboard Ethernet and a usb Ethernet adapter.

A bit overkill I know, but none the less this system will run SELKS just fine.

SELKS consist of an open-source stack. This stack includes the following independent tools that work together forming SELKS:

Suricata – Open-Source IDS/IPS/NMS – Provides threat detection based on signatures using Suricata rulesets.

Elasticsearch – Open-source tools that allows for indexing of data and extensive searching capabilities.

Logstash – Open-source log shipper. Logstash ingests the suricate json eve.json file , filters the data based on custom filters and “ships” this data to Elasticsearch

Kibana – Open-Source dashboard management tool. Kibana provides the capability of searching Suricata alerts, creating custom dashboards and visualizing all the data gathered from Suricata.

Scirius – Open-source Suricata rule management. Scirius was built to provide an easier way to manage Suricata rulesets using a web-based GUI instead of the linux based command line.  Scirius provides a dashboard of alert trends based on specific timeframes as well as visual status of Suricata, Elasticsearch, disk and memory statistics.  Scirius is also centralized login for Kibana, Evebox, Cyberchef, Arkime and Suricata threat hunting. with a switcher app menu for easy navigation between portals.

Evebox – Open-source web portal for event management. Evebox provides a line-by-line view of Suricata alerts and events. Suricata can be tuned to report all network traffic, this traffic can be seen based on timestamp in Evebox. Evebox allows is network traffic correlation when alerts are detected flow IDs.

Arkime – Open-source full packet analysis. Arkime can be used in large scale and provide full packet capturing, indexing and database system. Arkime provides many features threat hunting tools, endpoint connection diagrams and stats.

CyberChef – Open-source all in one cybersecurity tool. CyberChef is a web-based tool that can provide various tools for security analyst include decoding base64.

Suricata Threat Hunting – Open-source threat hunting tool built within Scirius. This tool allows pulls data form alerts and provide a correlation of the data along with hit counts. Data can be filtered by the following:

  • IP address
  • Probe
  • Message
  • Not in Message
  • Port
  • Signature ID
  • ES Filter
  • Protocols

Note that the SELKS acronym was established before the addition of Evebox, Arkime and CyberChef.

SELKS provides the capability to detect cybersecurity attacks in real time and triage the attacks accordingly. SELKS has also been able to meet the compliance requirements imposed by FERPA and PCI DSS regulations.