This blog post was authored by Veronica Valeros on 2020/11/14

The Stratosphere Linux IPs, for short Slips, is a free software intrusion prevention system that uses machine learning. Slips allows analysts to quickly sift through large network captures as well as real live traffic, highlighting what is important to analyze. The analysis we do as part of the Emergency VPN service at Civilsphere relies heavily on Slips.

The goals of this blog post are threefold: 

• First we will show how to get a base docker container running that we will use to install Slips; 

• Second, we will install all dependencies and packages needed for Slips and all Slips modules to run; and we will install Zeek.

• Third we will run Slips on an example capture and see its results.

You can use the StratosphereLinuxIPS directly using our docker image ready on DockerHub: stratosphereips/slips.

Starting a Docker Container From a Base Image

The installation of Slips shown in this blog is done starting from scratch from a base docker image. The installation steps we will show should work for the images listed below, however we recommend using as a base image tensorflow. Tensorflow is the machine learning platform that Slips relies on for its detection algorithms and one of the packages that takes longer to install. Choosing this image as a base will make the installation faster and smaller. 

We want to analyze pcaps after the installation. In order to do that, we will create a folder in our host computer called dataset and we will map this folder to the container. 

Create a directory called dataset in your home folder:

mkdir /home/user/dataset

Create a container called Slips based on the tensorflow image with the volume mapped as read only for safety reasons:

docker run -dit -v /home/user/dataset:/opt/dataset:ro --name slips --hostname stratosphereips tensorflow/tensorflow

Check that the container is up and running, you should see a container listed on your terminal:

docker ps

The last step is to access the container to start the installation:

docker exec -it slips /bin/bash

Install Required Packages via APT Package Manager

The tensorflow docker image is based on Ubuntu. To install packages we will use the APT package manager. Slips graphical interface depends on node, and many of the packages installed via pip3 are for Slips modules to work.

Update the repository of packages so you see the latest versions:

apt-get update

Install the required packages (-y is to install without asking for approval):

apt-get -y install curl git redis python3.7-minimal python3-redis python3-pip python3-watchdog nodejs npm

Even though we just installed pip3, the package installer for Python (3.7), we need to upgrade it to its latest version:

python3 -m pip install --upgrade pip

Now that pip3 is upgraded, we can proceed to install all required packages via pip3 python packet manager:

pip3 install maxminddb colorama validators urllib3 numpy sklearn pandas certifi keras redis==3.4.1

Note: for those using a different base image, you need to also install tensorflow==2.2.0 via pip3.

As we mentioned before, the GUI of Slips known as Kalipso relies on nodejs. For it to work we will install the following npm packages:

npm install blessed blessed-contrib redis async chalk strip-ansi clipboardy fs sorted-array-async

Installing Zeek

The last requirement to run Slips is Zeek. Zeek is a network security monitoring tool. Slips is able to read zeek flows, whether directly from the network or after processing a pcap file.

Zeek is not directly available on Ubuntu or Debian. To install it, we will first add the repository source to our apt package manager source list. The following two commands are for Ubuntu, check the repositories for the correct version if you are using a different OS:

echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/ /' | tee /etc/apt/sources.list.d/security:zeek.list

We will download and store the gpg signature from the package for apt to read:

curl -fsSL http://download.opensuse.org/repositories/security:/zeek/xUbuntu_18.04/Release.key | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null

Finally we will update the package manager repositories and install zeek

apt-get update

apt-get -y install zeek

To make sure that zeek can be found in the system we will add its link to a known path:

ln -s /opt/zeek/bin/zeek /usr/local/bin

Now, all requirements are met, hopefully without issues. We are ready to run Slips.

Running Slips for the First Time

Slips processes the network traffic, generates the profiles and stores the information on Redis. Redis is then used by Slips modules and Kalipso to store and consume information as they process the traffic.

When running Slips for the first time we need to start Redis:

redis-server --daemonize yes

Once Redis is running it’s time to clone the Stratosphere Linux IPS repository:

git clone https://github.com/stratosphereips/StratosphereLinuxIPS.git

Access the folder:

cd StratosphereLinuxIPS/

Slips has been undergoing major developments in the last year, and as the team prepares for a major release we will work with the development version. Check out the development branch: 

git checkout develop

There are two ways of running Slips:

• Run Slips on your docker network interface:
  ./slips.py -c slips.conf -i eth0

• Run Slips on a packet capture:
  ./slips.py -c slips.conf -r datasets/hide-and-seek-short.pcap

If you run it with the example packet capture shown above, you should see a similar output as shown below:

Slips in Action

For this section we will use capture from the generous malware-traffic-analysis.net which has an incredible collection of malware captures! We will pick an old nice capture: 2016-12-12-EITest-Rig-V-sends-CryptoMix-ransomware.pcap.zip

Download the pcap in your recently created datasets folder and uncompress it (password of the zip file: infected).

We will now run Slips on the newly downloaded packet capture:

./slips.py -c slips.conf -r /opt/datasets/2016-12-12-EITest-Rig-V-sends-CryptoMix-ransomware.pcap

This is a short packet capture so it should finish pretty fast. The expected output is shown below:

We will now use the graphical interface of Slips to see and browse through the results. To run the Kalipso GUI, type:

./kalipso.sh

A nice and colourful graphical interface will appear, which you can browse with enter and the keyboard arrows. You can move from panel to panel with tab. And in the Timeline view you can press enter on the rows and it will refresh the data shown at the top panel.

The timeline above shows us that there were three successful HTTP GET requests downloading among other things a x-shockwave-flash file, and also two successful HTTP POST requests. We see also that in the Evidence panel in the bottom, several of the domains and IPs were detected by Slips as malicious.

The threat intelligence module consumes indicators from the Internet or from a local file:

• modules/ThreatIntelligence1/malicious_data_files/

• modules/ThreatIntelligence1/local_data_files/

For this example, I’ve modified the local file with indicators with the ones found in the pcap to show how the alerts look like. You can add your own indicators following the CSV format of the file.

Conclusion

The Stratosphere Linux IPs is our free software tool where all the research from our Stratosphere group is applied. In this blog you learned how to install it and how to start using it. If you want to learn more about it, here are a few resources we recommend:

• Introducing Kalipso: the new interactive GUI of the Stratosphere Linux IPS by Kamila Babayeva

• OpenAlt 2019 Live Stream: S. Garcia, K. Babayeva: Fantastic Attacks and How Kalipso can Find Them

• Writing a SLIPS Module by Dita Hollmannová

• You can use the StratosphereLinuxIPS directly using our docker image ready on DockerHub: stratosphereips/slips.