Stratosphere Linux IPS
The Stratosphere Linux IPS , shortly Slips, is a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. Slips was first introduced in 2016. During the last year, Slips has gone through a significant refactoring process. The new version 0.6.2 of Slips was released on the 31st of October 2019. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.
OPERATING PLATFORMS
Slips runs in
Ubuntu 16.04 LTS
Debian stable/testing/unstable
MacOS 10.9.5, 10.10.x to 10.12.x
INPUT
The idea of slips is to focus on the machine learning part of the detection and not in capturing the network traffic. Slips can read flows of from different input types:
Pcap files (internally using Zeek).
Packets directly from an interface (internally using Zeek).
Suricata flows (from JSON files created by Suricata, such as eve.json).
Argus flows (CSV file separated by commas or TABs).
Zeek/Bro flows from a Zeek folder with log files.
Zeek/Bro flows from a conn.log file only.
Nfdump flows from a binary nfdump file.
The traffic can be received from an external Argus instance. Argus captures the packets in the networks and makes them available to anyone connecting to the Argus port. The flows from an Argus instance are read using the ra tool and then sent to slips as a standard input. This way of working is very good because we can analyze the traffic of our own computer, and also we can analyze the traffic of a remote network or any other computer where an Argus instance is running.
All the input flows are converted to an internal format so once read, slips works the same with all of them.
SLIPS ARCHITECTURE
Slips works at a flow level. Its core functionality is to separate the traffic into profiles for each IP address that appear in the traffic. A profile is a complete behavior of the IP in the traffic and the simplest data structure in Slips. Then each profile is divided into time windows. Each time window is 1 hour long by default, and it contains dozens of features computed for all connections that start in that time window.
As slips internally generates Zeek files for most input files, Zeek log files are used to create profiles. For example, the timeline for each time window is an interpretation of what the IP did during 1 hour. The timeline consists of Zeek generated conn.log flows and additional interpretation from other logs like dns.log or http.log.
MODULES AND FEATURES
To analyze the network traffic, slips has following modules:
asn - module to load and find the ASN of each IP
geoip - module to find the Country and geolocaiton information of an IP address
https - module to train or test a RandomForest to detect malicious flows
port scan detector - Port scan detector to detect Horizontal and Vertical scans
threat Intelligence - Check if the source IP or destination IP are in a malicious list of IPs
timeline - Creates a timeline of what happened in the network based on all the flows and type of data available
VirusTotal - IP address lookup on VirusTotal
Slips uses Behavioral letters to describe flows and create Behavioral Model. Behavioral Model helps to detect malicious behavior in the network traffic. More information how to interpret Behavioral model is here.
Slips has its own graphical user interface Kalipso to display analyzed data. How to use and install Kalipso is explained here.
DEPENDENCIES
The minimum slips requirements are:
Python 3.7 or more - https://www.python.org/
Redis database - https://redis.io/
In Debian/Ubuntu: apt-get install redis
py37-redis
In Debian/Ubuntu: apt-get install python3-redis
maxminddb libraries for Python: pip3 install maxminddb. Otherwise, ignore the geoip module in the conf.
Zeek (Bro): https://docs.zeek.org/en/stable/install/install.html
python-watchdog
In Debian/Ubuntu: apt-get install python3-watchdog
To run Redis you can:
In Linux, as a daemon: redis-server --daemonize yes
In macos, as a daemon: sudo port load redis
Leave Redis running on the console in the foreground: redis-server /opt/local/etc/redis.conf