Published on February 6th, 2016 | 475 views
SELKS — IDS IPS Suricata Distro
SELKS is a free and open source Debian (with LXDE X-window manager) based IDS/IPS platform released under GPLv3 from Stamus Networks.
SELKS is both Live and installable Network Security Management ISO based on Debian implementing and focusing on a complete and ready to use Suricata IDS/IPS ecosystem with its own graphic rule manager. From start to analysis of IDS/IPS and NSM events in 30 sec. The name comes from its major components: Suricata Elasticsearch Logstash Kibana Scirius. After starting or installing SELKS, you get a running Suricata with IDPS within a NSM platform, Kibana to analyse alerts and events and Scirius to configure the Suricata ruleset. SELKS is released under GPLv3 license
SELKS is comprised of the following major components:
- S – Suricata IDPS – http://suricata-ids.org/
- E – Elasticsearch – http://www.elasticsearch.org/overview/
- L – Logstash – http://www.elasticsearch.org/overview/
- K – Kibana – http://www.elasticsearch.org/overview/
- S – Scirius – https://github.com/StamusNetworks/scirius
The minimal configuration for SELKS without desktop is one single core and 2 Gb of memory. A virtual machine with 2 Gb of RAM should provide a basic test system. If you want to run the desktop version of SELKS, we highly recommend to use at least two cores. The minimal configuration for production usage is 2 cores and 4 Gb of memory. As Suricata and Elastisearch are multithreaded, the more cores you have the better it is. Regarding memory, the more traffic to monitor you have, the more getting some extra memory will be interesting.
Usage and logon credentials
Default OS user:
selks-user(password in Live mode is
The default root password is
You need to authenticate to access to the web interface (see the
HTTPS access section below ). The default user/password is
selks-user/selks-user (including through the Dashboards or Scirius desktop icons). You can change credentials and user settings by using the top left menu in Scirius.
SELKS has more than 12 default IDS dashboards (found under Iceweasel, Bookmarks and Load button in Kibana) – ALL, ALERTS, DNS, FILE-Transactions, FLOW, HTTP, HTTP-Extended-Custom, PRIVACY, SMTP, SSH, TLS, VLAN.
A link to the Kibana dashboards can also be found by clicking on the Stamus Icon on top left of Scirius, the rule management interface.
Elasticsearch, Logstash and Suricata are build in and can be used as standard services, ex
service suricata restart service logstash stop
Suricata ruleset is updated and Suricata is restarted every days at 3:15AM.
Scirius and Kibana are bookmarked in Iceweasel and could be used directly with just a click once logged in the SELKS desktop.
If you wish to remotely (from a different PC on your network) access the dashboards you could do that as follows (in your browser):
- https://your.selks.IP.here/rules/ – Scirius ruleset management
- https://your.selks.IP.here/log/ – Kibana and click the folder icon for a list of dashboards
You need to authenticate to access to the web interface. The default user/password is the same as for local access:
selks-user/selks-user. Don’t forget to change credentials at first login. You can do that by going to
Account settings in the top left dropdown menu of Scirius.
SELKS uses LXDE as a desktop windows manager. If you wish to uninstall the Desktop Manager (GUI) and run the server/machine just with command shell you can remove the desktop installation as follows after the installation:
apt-get remove lxde lxde-common lxde-core lxde-icon-theme lightdm \ hunspell-en-us hyphen-en-us iceweasel lxlauncher lxtask
This will not affect the services and/or scripts. SELKS would still continue to operate and function as desired. If you wish you can also directly download and use the SELKS no desktop edition from the download page.
Source && Download