Release of SELKS 7.0 distribution aimed at creating intrusion detection systems

Stamus Networks published Release of a specialized distribution SELKS 7.0 , designed to deploy the systems for detecting and preventing network invasions, as well as response to the identified threats and network security monitoring. The users are provided with a fully ready-made network security management solution that can be used immediately after loading. Distribution supports work in Live mode and launch in virtualization environments or containers. Project operations distributed under the GPLv3 license. The size of boot image 3 GB.

The system is built on the Debian batch database and the Suricata Open IDS platform. The data is processed using logstash and saved in the ElasticSearch storage. To track the current state and detected incidents, a web-interface implemented on top of Kibana has been proposed. To manage the rules and visualization associated with them, the Web interface Scirius CE is applied. The composition also includes the ARKIME package capture system, an interface for evaluating the events that occurred evebox and the data analyzer CyberChef .

In addition to updating a batch base in the new version, the following improvements are allocated:

  • Forming a package for deploying in container insulation systems that support Docker.
  • Fully automated system of replaying activity on the saved logs in PCAP format, which can be used to test the performance of implemented protection measures, for analyzing incidents or in the learning process.
  • Explore and improved a set of filters to identify cyber threat hunting, allowing you to quickly identify malicious activity and violation of the access rules through the search for Suricata and NSM logs (Network Security Monitor).
  • Integrated package cyberchef , allowing you to encode, decode and analyze data related to events, work of protocols and created by Suricata records.
  • in the Kibana interface added 6 new sections to visualize and monitor activity associated with SNMP, RDP, SIP, HTTP2, RFB, Geneve, MQTT and DCERPC.





/Media reports.