Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.
Quick links:
Download Slips from our GitHub repository: https://github.com/stratosphereips/StratosphereLinuxIPS
Access Slips documentation through Read the Docs: https://stratospherelinuxips.readthedocs.io/en/develop/
What We Are Particularly Excited About
In this release we are particularly excited about these new Slips features:
Add detection for connections to private IPs from private IPs
Add detection for devices changing IPs.
Add detection for DHCP scans
Add detection for non-HTTP connections on port 80
Add detection for non-SSL connections on port 443
Add detection of connections to/from IPs outside the used local network.
Add detection of high entropy DNS TXT answers
Add detection of IPs using multiple SSH server versions
Add detection of weird HTTP methods
add support for sha256 hashes in files.log generated by zeek
Add the option to change pastebin download detection threshold in slips.conf
Add the option to change shannon entropy threshold detection threshold in slips.conf
Add the option to start slips web interface automatically using -w
Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json
More new features
We are constantly improving Slips, and a full list of changes in this last version is available in the Slips changelog. These are some of the new fixes that we have been working on:
Fix Duplicate evidence in multiple alerts
Fix FP horizontal portscans caused by zeek flipping connections
Fix FP urlhaus detetcions, now we use it to check urls only, not domains.
Fix having multiple port scan alerts with the same timestamp
Fix md5 urlhaus lookups
Fix multiple SSH client versions detection
Fix race condition trying to update TI files when running multiple slips instances
Move all TI feeds to their separate files in the config/ directory for easier use
Optimize code and performance
P2P can now work without adding the p2p4slips binary to PATH
Portscan detector is now called network service discovery
Store zeek files in the output directory by default
Support having IP ranges in your own local TI file own_malicious_iocs.csv
Update Kalispo dependencies to use more secure versions
Wait 30 mins before the first “connection without DNS” evidence
Check Our Slips Demo
Get a quick overview of what Slips is about and all its capabilities in this demo presented at the LCN conference in 2021.
And the analysis of several malicious PCAPs using Slips: https://stratospherelinuxips.readthedocs.io/en/develop/slips_in_action.html
Get in Touch
Feel free to join our Discord server and ask questions, suggest new features or give us feedback. PRs and Issues are welcomed in our repo.