Stratosphereips StratosphereLinuxIPS Versions Save

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.

v1.0.3

1 year ago
  • Add HTTP unencrypted traffic detection by @haleelsada
  • use termcolor by @haleelsada
  • Instead of dos detection. slips is now detecting all executables thanks to @Onyx2406
  • Updated the docs for contributing
  • Fix Leak detector errors when a different version of YARA is used.
  • fix problem with counting the number of flows to be processed in the progress bar
  • Remove debugging prints printed by the whois python library to stderr

v1.0.2

1 year ago
  • Add a blocking indicator in alerts.json
  • Add a progress bar to slips showing the number of processed flows
  • Add a zeek script to recognize the gateway IP and add it to notice.log
  • Add the option to display all evidence in a profile
  • Add the option to view blocked profiles only in the web interface
  • Add the uids that caused evidence to the evidence description in alerts.json
  • Code optimizations
  • Don't alert "Connection to Private IP" when there's a DNS connection on port 53 UDP to the gateway
  • Faster reading of netflow and suricata files
  • Kill web interface on ctrl+c
  • Support ASNs in our own_malicious_iocs.csv file
  • Update slips default whitelist
  • Use the current user's timezone in alerts.log and alets.json
  • Fix caching ASN ranges
  • Fix displaying alerts of profile in the webinterface
  • Fix error parsing AIP TI list.
  • Fix having duplicate alerts
  • Fix problem displaying data from the DB in the web interface
  • Fix searching in the web interface
  • Fix vertical and horizontal portscan errors
  • Fix wrong Source/Target type in alerts.json

v1.0.1

1 year ago
  • fix FP horizontal portscans caused by zeek flipping connections
  • Fix Duplicate evidence in multiple alerts
  • Fix FP urlhaus detetcions, now we use it to check urls only, not domains.
  • Fix md5 urlhaus lookups
  • add support for sha256 hashes in files.log generated by zeek
  • Add detection of weird HTTP methods
  • Fix race condition trying to update TI files when running multiple slips instances
  • Fix having multiple port scan alerts with the same timestamp
  • Add detection for non-SSL connections on port 443
  • Add detection for non-HTTP connections on port 80
  • P2P can now work without adding the p2p4slips binary to PATH
  • Add detection for connections to private IPs from private IPs
  • Add detection of high entropy DNS TXT answers
  • Add detection of connections to/from IPs outside the used local network.
  • Add detection for DHCP scans
  • Add detection for devices changing IPs.
  • Support having IP ranges in your own local TI file own_malicious_iocs.csv
  • Remove rstcloud TI file from slips.conf
  • Add the option to change pastebin download detection threshold in slips.conf
  • Add the option to change shannon entropy threshold detection threshold in slips.conf
  • Store zeek files in the output directory by default
  • Portscan detector is now called network service discovery
  • Move all TI feeds to their separate files in the config/ directory for easier use
  • Add the option to start slips web interface automatically using -w
  • Fix multiple SSH client versions detection
  • Add detection of IPs using multiple SSH server versions
  • Wait 30 mins before the first connection without DNS evidence
  • Optimize code and performance
  • Update Kalispo dependencies to use more secure versions
  • Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json

v1.0.0

1 year ago
  • Add -g option for running slips on growing zeek dirs. (for example dirs generated by zeek running on an interface)
  • Add a new log file p2p_reports.log, for logging peer reports only
  • Add Detection of SSH password guessing by slips in addition to zeek
  • Add Dockerfiles for MacOS M1
  • Add support for hosts outside of the network in zeek generated software.log
  • Alerts now contain attacks done by the profile only (excluding those done to the profile)
  • Blacklist IP used by blackmatter for exfiltration in config/own_malicious_iocs
  • Change colors and CLI evidence format
  • Create profiles for all IPs by default (source and destination IPs)
  • Create profiles for all ips reported by peers
  • Detect empty connections to duckduckgo used by blackmatter for checking internet connection
  • Don't detect 'connection without dns' when running on an interface except for when it's done by your own IP
  • Don't force kill all modules when using -P
  • Don't stop slips when p2p is enabled but slips is given a file, not an interface.
  • Fix P2P and ubutnu-image Dockerfiles
  • Fix pastebin downloads detection to include HTTPs too
  • Ignore NXDOMAINs dns resolution when checking for 'dns without resolutions'
  • Keep track of old peer reports about the same ip
  • Make sure the domains that are part of DGA alerts are not whitelisted
  • Set evidence for each p2p report in the attackers profile
  • Take p2p reports into consideration when deciding to block an IP

v0.9.6

1 year ago
  • Add an option to store the zeek log files inside the output dir
  • Add support for suricata ssh flows
  • Better detection of suspicious user agents
  • Detect DNS answers that have a blacklisted IP or CNAME
  • Detect ICMP scans in netflow files
  • Don't alert ARP scans from the gateway
  • Keep track of profiles' past threat levels
  • Kill all modules after 15 mins to trying to stop them
  • Kill slips on when redis ConnectionError occurs
  • Make rotating zeek files configurable. how many days you want to keep the rotated files and how often to rotate
  • Remove support for VT hash lookups to save quota
  • Support looking up hashes and domains in URLhaus
  • Support looking up hashes in Circl.lu
  • Support looking up IPs in Spamhaus
  • Support running slips on a growing zeek dir. for example a zeek dir of an interface.
  • whitelist top tranco top 10k domains for fewer false positive alerts
  • Fix false positive connection without DNS
  • Fix importing and exporting to warden servers
  • Fix P2P
  • Fix problem detecting SSH logins by zeek
  • Fix reading zeek tab files
  • Fix saving the redis database
  • Fix vertical portscan detections by zeek
  • Fix zeek rotating files on ctrl+c

v0.9.5

1 year ago
  • Fix the way we update TI files
  • Add a new web interface
  • Detect Incompatible certificate CN
  • Detect downloads from pastebin with size > 0.012 MBs
  • Detect DOS executable downloads from http websites
  • Update the mac database automatically
  • Support using multiple home network parameters in slips.conf
  • Add redis.conf for special redis configurations when running slips
  • Improve portscan or ARP scan alerts
  • Improve ARPA scan alerts to alert on unique domains
  • Add new methods to detect data upload
  • Add the option to close all redis servers when slips can't start because all port are unavailable
  • Remove support for whitelisting an unsupported org by slips
  • Better description of alerts exported to Slack
  • Faster Whitelists
  • Whitelist connections made by slips causing false positives
  • Change the unknown ports detections to detect only established connections
  • Change -killall argument behaviour. now supports closing a specific redis port or all of them at once
  • Fix exporting module
  • Fix false positive resolution without connection alerts
  • Fix disabling alerts
  • Fix saving and loading the database
  • Fix running several slips instances
  • Fix stopping the daemon with -S
  • Fix how packets are calculated in portscan detections
  • Fix 'multiple reconnections attempts' detection to detect 5 or more rejected reconnection attempts to the same IP on the same destination port

v0.9.3

1 year ago

Slips v0.9.3

  • Run multiple slips instances on demand using (-m), and use redis port 6379 by default.
  • Fix false positive 'DNS resolution without connection' alerts
  • Faster Slips and reduced memory and CPU consumption
  • Better 'unknown ports' detections
  • Faster reading of local TI files
  • Fix docker not working in macOS
  • Fix problem generating the data upload alerts
  • Improve contributing guidelines
  • Update microsoft whitelisted IP ranges
  • Fix problem stopping input process when slips stops
  • Update the locations of GeoIP database in zeek for better zeek detections
  • Fix P2P output dir, now it's the same as alerts.log and slips.log
  • Update our usage of macvendors.com API
  • Whitelist the connections made by slips, so now you won't be alerted when Slips is using virustotal.com or macvendors.com

v0.9.2

1 year ago

Slips v0.9.2

  • Add a MacOS dockerfile to be able run Docker in MacOS
  • Fix saving the database in MacOS and Linux
  • Fix problem updating TI files
  • Fix problem starting and stopping the Daemon
  • Fix false positive ARP MITM attacks
  • Fix problem stopping slips when using whitelists
  • Fix problem opening unused redis ports

v0.9.1

1 year ago

Slips v0.9.1:

  • Drop root privileges in modules that don't need them
  • Added support for running slips in the background as a daemon
  • Fix the issue of growing zeek logs by deleting old zeek logs every 1 day. (optional but enabled by default)
  • Added support for running several instances of slips at the same time.
  • Saving and loading the db in macos
  • Fix reading flows from stdin, now it supports zeek, argus and suricata
  • Faster Startup of slips, now slips updates the TI files in the background
  • Added slips.log where all Slips logs goes. in daemon and interactive mode
  • Automatic starting of redis servers (cache and main databases).
  • Added a new TI file https://hole.cert.pl/domains/domains.json
  • Update the docs and added instructions for contributing and creating a new module