Stratosphereips StratosphereLinuxIPS Versions Save

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.

v1.0.14

1 week ago

Improve whitelists by better matching of ASNs, domains, and organizations.
Whitelist Microsoft, Apple, Twitter, Facebook, and Google alerts by default to reduce false positives.
Better unit tests. Thanks to @Sekhar-Kumar-Dash
Speed up port scan detections.
Fix the issue of overwriting Redis configuration file every run.
Add more info to metadata/info.txt for each run.

v1.0.13

1 month ago

Whitelist alerts to all organizations by default to reduce false positives.
Improve and compress Slips Docker images.
Improve CI and add pre-commit hooks.
Fix problem reporting victims in alerts.json.
Better docs for the threat intelligence module.
Improve whitelists.
Better detection threshold to reduce false positives.
Better unit tests.
Fix problems stopping the daemon.

v1.0.12

2 months ago

Add an option to specify the current client IP in slips.conf to help avoid false positives.
Better handling of URLhaus threat intelligence.
Change how slips determines the local network of the current client IP.
Fix issues with the progress bar.
Fix problem logging alerts and errors to alerts.log and erros.log.
Fix problem reporting evidence to other peers.
Fix problem starting the web interface.
Fix whitelists.
Improve how the evidence for young domain detections is set.
Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
Set evidence to all young domain IPs when a connection to a young domain is found.
Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
Use blacklist name instead of IP description in all evidence.
Use the latest Redis and NodeJS version in all docker images.

v1.0.11

3 months ago

Improve the logging of evidence in alerts.json and alerts.log.
Optimize the storing of evidence in the Redis database.
Fix problem of missing evidence, now all evidence is logged correctly.
Fix problem adding flows to incorrect time windows.
Fix problem setting SSH version changing evidence.
Fix problem closing Redis ports using -k.
Fix problem closing the progress bar.
Fix problem releasing the terminal when Slips is done.

v1.0.10

4 months ago

Faster ensembling of evidence.
Log accumulated threat levels of each evidence in alerts.json.
Better handling of the termination of the progress bar.
Re-add support for tensorflow to the dockers for macOS M1 and macOS M1 P2P.
Fix problem setting 'vertical portscan' evidence detected by Zeek.
Fix unable to do RDAP lookups
Fix stopping Slips daemon.

v1.0.9

5 months ago

Fix using -k to kill opened Redis servers.
Better README and docs.
Improve URLhaus detections.
Improve the detection of vertical and horizontal portscans.
Unify disabled module names printed in the CLI.
Set the threat level reported to other peers to the max of threat levels seen in any time window.
Faster detections of devices changing IPs.
Remove the home_network feature from Slips.
Faster detection of alerts.
Fix the problem of not using 'command and control channel' evidence in the alert of each profile.

v1.0.8

6 months ago

Use All-ID hash to fingerprint flows stored in the flows database.
Increase the weight of port scan alerts by increasing its threat level.
Fix false positive port scan alerts.
Add an option in slips.conf to wait for the update manager to update all TI feeds before starting Slips to avoid missing any blacklisted IPs evidence.
Fix error detecting password guessing.
Fix issues reading all flows when running on a low-spec device.
Improve the stopping of slips and termination of processes.
Improve the progress bar.
Fix reading flows from stdin.
Better code, logs, and unit tests.

v1.0.7

8 months ago

CPU and memory profilers thanks to @danieltherealyang
Check DNS queries and answers for whitelisted IPs and domains.
Add AID flow hash to all conn.log flows, which is a combination of community_id and the flow's timestamp.
SQLite database improvements and better error handling.
Add support for exporting Slips alerts to a SQLite database .

v1.0.6

10 months ago

Store flows in SQLite database in the output directory instead of Redis.
55% RAM usage decrease.
Support the labeling of flows based on Slips detections.
Add support for exporting labeled flows in JSON and tsv formats.
Code improvements. Change the structure of all modules.
Graceful shutdown of all modules thanks to @danieltherealyang
Print the number of evidence generated by Slips when running on PCAPs and interface.
Improved the detection of ports that belong to a specific organization.
Fix bugs in CYST module.
Fix URLhaus evidence description.
Fix the freezing progress bar issue.
Fix problem starting Slips in docker in Linux.
Ignore ICMP scans if the flow has ICMP type 3
Improve our whitelist. Slips now checks for whitelisted attackers and victims in the generated evidence.
Add embedded documentation in the web interface thanks to @shubhangi013
Improved the choosing of random Redis ports using the -m parameter.

v1.0.5

11 months ago

Fix missing flows due to modules stopping before the processing is done.
Code improvements. Change the structure of all modules.
Fix how we detect vertical and horizontal port scans.
Update the whitelist by adding all the IPs of whitelisted domains.
Fixed error whitelisting Unencrypted HTTP traffic.
Remove the feature of creating log directories using -l, now the only logs Slips generates are stored in the output/ directory.
Added support for reading flows from any module, not just the input process, using --input-module.
CYST module improvements.
Detect invalid DNS answers when querying ad servers. thanks to @ganesh-dagadi .
Update Slips known ports.
Prevent model.bin and scaler.bin from changing in test mode. thanks to @haleelsada.
Use either 'ip neigh show' or 'arp -an' to get gateway MAC from the host's ARP table. thanks to @naturalnetworks.