New Slips version 1.0.1 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system. 

Quick links:

What We Are Particularly Excited About

In this release we are particularly excited about these new Slips features:

  • Add detection for connections to private IPs from private IPs

  • Add detection for devices changing IPs.

  • Add detection for DHCP scans

  • Add detection for non-HTTP connections on port 80

  • Add detection for non-SSL connections on port 443

  • Add detection of connections to/from IPs outside the used local network.

  • Add detection of high entropy DNS TXT answers 

  • Add detection of IPs using multiple SSH server versions

  • Add detection of weird HTTP methods

  • add support for sha256 hashes in files.log generated by zeek  

  • Add the option to change pastebin download detection threshold in slips.conf

  • Add the option to change shannon entropy threshold detection threshold in slips.conf

  • Add the option to start slips web interface automatically using -w

  • Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json

More new features

We are constantly improving Slips, and a full list of changes in this last version is available in the Slips changelog. These are some of the new fixes that we have been working on:

  • Fix Duplicate evidence in multiple alerts

  • Fix FP horizontal portscans caused by zeek flipping connections

  • Fix FP urlhaus detetcions, now we use it to check urls only, not domains.

  • Fix having multiple port scan alerts with the same timestamp

  • Fix md5 urlhaus lookups

  • Fix multiple SSH client versions detection

  • Fix race condition trying to update TI files when running multiple slips instances 

  • Move all TI feeds to their separate files in the config/ directory for easier use

  • Optimize code and performance

  • P2P can now work without adding the p2p4slips binary to PATH

  • Portscan detector is now called network service discovery

  • Store zeek files in the output directory by default

  • Support having IP ranges in your own local TI file own_malicious_iocs.csv

  • Update Kalispo dependencies to use more secure versions

  • Wait 30 mins before the first “connection without DNS” evidence


Check Our Slips Demo 

Get a quick overview of what Slips is about and all its capabilities in this demo presented at the LCN conference in 2021.

And the analysis of several malicious PCAPs using Slips: https://stratospherelinuxips.readthedocs.io/en/develop/slips_in_action.html 

Get in Touch

Feel free to join our Discord server and ask questions, suggest new features or give us feedback. PRs and Issues are welcomed in our repo.