In the last couple of months we have been busy continuing with the development of Slips, our behavioural-based machine learning intrusion detection system. And finally we published version 0.8, with crazy amount of features! You can download it from here https://github.com/stratosphereips/StratosphereLinuxIPS. And read the documentation here https://stratospherelinuxips.readthedocs.io/en/develop/.
New features
In 0.8 there are many new features for you to try (list in CHANGELOG), but lets go through some of them here
New scan detections
Slips can detect ARP scans in the network. This is done by implementing a new Zeek script and adding the detection.
Slips can also detect now ICMP PING sweep scans, typically done by tools like Nmap.
New Machine Learning module
There is a new module, called flowmldetection that uses a SVM linear machine learning model (SGDClassifier) on flows. The module is pretrained with normal traffic and malware traffic, and activated by default. For now, it only works on traditional flows, such as the conn.log flows of Zeek, and not in others, such as in HTTP flows.
This module allows for the retraining of the machine learning model by the user, see the description below.
New Training mode, so you can rebuild the ML model at home
The new machine learning module mlflowdetection allows the user to train its own model with its own data. (The complete documentation is here). For this you need to put Slips in train mode in the configuration file, and also specify a label in the configuration file for the traffic you are going to use. Then you just run Slips normally and the model is retrained automatically.
After your training is done, you put Slips back in testing mode in the configuration file, and you use Slips normally.
New Threat Intelligence lists with confidence
Silps can now ingest by default more than 50 threat intelligence feeds from the Internet. They are all used to detect IP addresses, and domains in many places, such as flows, HTTP connections, DNS requests and responses, and TLS SNI hosts.
However, not all of the feeds are equally trustable, therefore Slips allows you to put a confidence level to each feed in the configuration file. This confidence is used by the ensemble model to decide if to generate al alert or not.
JA3 detection and whitelists
Slips now understands and computes the JA3 hash (see here for details). Also, it downloads the blacklist https://sslbl.abuse.ch/blacklist/ja3_fingerprints.csv and uses this to block connections to these malicious hashes.
Blocking of IPs in Linux iptables
In Linux systems (both native installation and Docker) you can tell Slips to connect to the iptables and block all the IP addresses that are being alerted on (remember that Slips generates alerts only for IPs that generated enough evidence). This is done by using -p parameter while running Slips.
In the case of using Docker, the container must be run with the --cap-add=NET_ADMIN capabilities. Check the README.md for the complete instructions.
Whitelists of Organizations
Slips now allows the user to specify an organization, such as Facebook, and automatically ignore the flows (or alerts) to that organization. This is done by using the complete list of ASN numbers, domains and IPs registered for each organization. All these domains, IPs and ASN are whitelisted across all flows in Slips.
The current organizations that can be whitelisted are Facebook, Google, Apple and Twitter.
Apart from these organizations, Slips allows you to whitelist domains and IPs. The whitelisting can happen in flows going to those values or from those values. Also, the whitelist works for flows or alerts.
Use RiskIQ to download special feeds using their API
Slips can talk with the API of RiskIQ to download the following feed https://api.riskiq.net/pt/v2/articles/indicators, and use it for detections.
Among other features are also…
You can run multiple Slips instances now in the same computer without interference!
Detect malicious downloaded files by searching for their MD5 hash on virustotal.
Detect SSH password guessing by using the Zeek log for this
New module to detect data exfiltration by checking large transfers