Stratosphereips StratosphereLinuxIPS Versions Save

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.

v1.0.13

1 week ago
  • Whitelist alerts to all organizations by default to reduce false positives.
  • Improve and compress Slips Docker images.
  • Improve CI and add pre-commit hooks.
  • Fix problem reporting victims in alerts.json.
  • Better docs for the threat intelligence module.
  • Improve whitelists.
  • Better detection threshold to reduce false positives.
  • Better unit tests.
  • Fix problems stopping the daemon.

v1.0.12

1 month ago
  • Add an option to specify the current client IP in slips.conf to help avoid false positives.
  • Better handling of URLhaus threat intelligence.
  • Change how slips determines the local network of the current client IP.
  • Fix issues with the progress bar.
  • Fix problem logging alerts and errors to alerts.log and erros.log.
  • Fix problem reporting evidence to other peers.
  • Fix problem starting the web interface.
  • Fix whitelists.
  • Improve how the evidence for young domain detections is set.
  • Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
  • Set evidence to all young domain IPs when a connection to a young domain is found.
  • Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
  • Use blacklist name instead of IP description in all evidence.
  • Use the latest Redis and NodeJS version in all docker images.

v1.0.11

2 months ago
  • Improve the logging of evidence in alerts.json and alerts.log.
  • Optimize the storing of evidence in the Redis database.
  • Fix problem of missing evidence, now all evidence is logged correctly.
  • Fix problem adding flows to incorrect time windows.
  • Fix problem setting SSH version changing evidence.
  • Fix problem closing Redis ports using -k.
  • Fix problem closing the progress bar.
  • Fix problem releasing the terminal when Slips is done.

v1.0.10

3 months ago
  • Faster ensembling of evidence.
  • Log accumulated threat levels of each evidence in alerts.json.
  • Better handling of the termination of the progress bar.
  • Re-add support for tensorflow to the dockers for macOS M1 and macOS M1 P2P.
  • Fix problem setting 'vertical portscan' evidence detected by Zeek.
  • Fix unable to do RDAP lookups
  • Fix stopping Slips daemon.

v1.0.9

4 months ago
  • Fix using -k to kill opened Redis servers.
  • Better README and docs.
  • Improve URLhaus detections.
  • Improve the detection of vertical and horizontal portscans.
  • Unify disabled module names printed in the CLI.
  • Set the threat level reported to other peers to the max of threat levels seen in any time window.
  • Faster detections of devices changing IPs.
  • Remove the home_network feature from Slips.
  • Faster detection of alerts.
  • Fix the problem of not using 'command and control channel' evidence in the alert of each profile.

v1.0.8

5 months ago
  • Use All-ID hash to fingerprint flows stored in the flows database.
  • Increase the weight of port scan alerts by increasing its threat level.
  • Fix false positive port scan alerts.
  • Add an option in slips.conf to wait for the update manager to update all TI feeds before starting Slips to avoid missing any blacklisted IPs evidence.
  • Fix error detecting password guessing.
  • Fix issues reading all flows when running on a low-spec device.
  • Improve the stopping of slips and termination of processes.
  • Improve the progress bar.
  • Fix reading flows from stdin.
  • Better code, logs, and unit tests.

v1.0.7

7 months ago
  • CPU and memory profilers thanks to @danieltherealyang
  • Check DNS queries and answers for whitelisted IPs and domains.
  • Add AID flow hash to all conn.log flows, which is a combination of community_id and the flow's timestamp.
  • SQLite database improvements and better error handling.
  • Add support for exporting Slips alerts to a SQLite database .

v1.0.6

9 months ago
  • Store flows in SQLite database in the output directory instead of Redis.
  • 55% RAM usage decrease.
  • Support the labeling of flows based on Slips detections.
  • Add support for exporting labeled flows in JSON and tsv formats.
  • Code improvements. Change the structure of all modules.
  • Graceful shutdown of all modules thanks to @danieltherealyang
  • Print the number of evidence generated by Slips when running on PCAPs and interface.
  • Improved the detection of ports that belong to a specific organization.
  • Fix bugs in CYST module.
  • Fix URLhaus evidence description.
  • Fix the freezing progress bar issue.
  • Fix problem starting Slips in docker in Linux.
  • Ignore ICMP scans if the flow has ICMP type 3
  • Improve our whitelist. Slips now checks for whitelisted attackers and victims in the generated evidence.
  • Add embedded documentation in the web interface thanks to @shubhangi013
  • Improved the choosing of random Redis ports using the -m parameter.

v1.0.5

10 months ago
  • Fix missing flows due to modules stopping before the processing is done.
  • Code improvements. Change the structure of all modules.
  • Fix how we detect vertical and horizontal port scans.
  • Update the whitelist by adding all the IPs of whitelisted domains.
  • Fixed error whitelisting Unencrypted HTTP traffic.
  • Remove the feature of creating log directories using -l, now the only logs Slips generates are stored in the output/ directory.
  • Added support for reading flows from any module, not just the input process, using --input-module.
  • CYST module improvements.
  • Detect invalid DNS answers when querying ad servers. thanks to @ganesh-dagadi .
  • Update Slips known ports.
  • Prevent model.bin and scaler.bin from changing in test mode. thanks to @haleelsada.
  • Use either 'ip neigh show' or 'arp -an' to get gateway MAC from the host's ARP table. thanks to @naturalnetworks.

v1.0.4

11 months ago
  • Add more descriptive titles to VT scores in the web UI thanks to @shubhangi.
  • Add stratoletters documentation, thanks to @haleelsada.
  • Add the detection of GRE tunnels.
  • Auto publish our MacOS Docker image when there's a new release, thanks to @pjflux2001
  • Detect malicious JARM hashes when there's a C&C alert and add our own malicious JARM hashes TI file.
  • Fix error getting IP confidence in P2P module.
  • Fix false positive alerts about "connection to private IP" thanks to @Onyx2406.
  • Fix problem killing all modules before the TI module stops.
  • Fix problem detecting vertical and horizontal port scans.
  • Improved CLI progress bar and status updates.
  • Keep a history of the past user-agents by @haleelsada.
  • More descriptive evidence.
  • Refactor code thanks to @danieltherealyang.
  • Update Slips default whitelist.
  • Web UI highlighting, new icons, and bug fixes.