CybersLion

SELKS (Suricata ELK Security): Advanced Usage Guide with Practical Exercises

 

SELKS (Suricata ELK Security): Advanced Usage Guide with Practical Exercises

 Description:
Master SELKS with this advanced usage guide. Learn Suricata IDS/IPS, ELK Stack integration, real-time network monitoring, threat detection, and practical hands-on exercises for cybersecurity professionals.


What is SELKS?

SELKS (Suricata ELK Security) is a Debian-based Linux distribution designed for network security monitoring (NSM) and Security Operations Center (SOC) environments.

It integrates:

  • Suricata: High-performance IDS/IPS for threat detection

  • Elasticsearch: Log storage, indexing, and searching

  • Logstash: Log parsing and filtering

  • Kibana: Visualization dashboards and analytics

  • Filebeat: Log collection and forwarding

SELKS is used for real-time intrusion detection, network threat analysis, SOC monitoring, and incident response.


Key Use Cases

  • Network Intrusion Detection System (IDS)

  • Intrusion Prevention System (IPS)

  • Security Information and Event Management (SIEM)

  • SOC Monitoring and Incident Response

  • Malware traffic detection and analysis

  • Compliance and log auditing


Installing and Setting Up SELKS (Advanced)

1. Download and Install SELKS ISO

2. System Update

sudo apt update && sudo apt upgrade -y

3. Network Interface Setup

  • Interface for management

  • Interface for monitoring in promiscuous mode

ip link set eth1 promisc on

Practical Exercise:
Install SELKS in a virtual environment with two network interfaces (one for management, one for monitoring).


Suricata IDS/IPS – Advanced Usage

Check Suricata Status

sudo systemctl status suricata

Suricata Configuration File

/etc/suricata/suricata.yaml

Run Suricata in IDS Mode

sudo suricata -c /etc/suricata/suricata.yaml -i eth1

IPS Mode with NFQUEUE

sudo suricata -q 0

Suricata Rules – Advanced Analysis

Rules Directory

/etc/suricata/rules/

Example Custom Rule

alert icmp any any -> any any (msg:"ICMP Detected"; sid:1000001; rev:1;)

Update Rules

sudo suricata-update

Practical Exercise:
Generate ping traffic or scan attacks and verify alerts in Kibana dashboards.


ELK Stack (Elasticsearch, Logstash, Kibana)

Elasticsearch

  • Stores all Suricata alerts and network logs

curl http://localhost:9200

Logstash

  • Parses and filters network and IDS logs

/etc/logstash/conf.d/

Kibana Dashboards

  • URL: http://localhost:5601

  • Prebuilt Suricata dashboards: Alerts, Flows, DNS, HTTP, TLS

  • Create custom visualizations for threat analysis

Practical Exercise:
Visualize HTTP, DNS, and TLS traffic trends in Kibana.


Network Traffic Analysis (Advanced)

Capture Traffic with PCAP

tcpdump -i eth1 -w attack.pcap

Analyze PCAP with Suricata

suricata -r attack.pcap -c /etc/suricata/suricata.yaml

Eve.json Logs

/var/log/suricata/eve.json

SOC and Incident Response with SELKS

SELKS enables SOC analysts to:

  • Build attack timelines

  • Track source and destination IPs

  • Map threats to MITRE ATT&CK

  • Identify indicators of compromise (IOCs)

  • Correlate alerts for faster incident response

Real-World Scenario Practice:

  • Brute force attack detection

  • Malware C2 communication

  • Port scanning and reconnaissance alerts


Advanced Threat Hunting in SELKS

  • Detect beaconing traffic

  • Analyze lateral movement in the network

  • Identify suspicious DNS tunneling

  • Inspect encrypted TLS traffic

Kibana Query Example (KQL):

event_type:alert AND alert.signature:*scan*

SELKS vs Other SIEM Platforms

FeatureSELKSSplunkSecurity Onion
Open Source
IDS Integrated
SOC Ready
CostFreeExpensiveFree

Conclusion

SELKS is a powerful, open-source, professional-grade Network Security Monitoring (NSM) platform.

  • Ideal for SOC analysts, blue teams, and cybersecurity professionals

  • Advanced Suricata rules and ELK integration for real-time monitoring

  • Hands-on labs develop practical threat hunting and incident response skills

Using SELKS in isolated labs ensures ethical, safe, and highly effective cybersecurity monitoring and prepares professionals for real-world SOC operations.