Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.
Quick links:
Download Slips from our GitHub repository: https://github.com/stratosphereips/StratosphereLinuxIPS
Access Slips documentation through Read the Docs: https://stratospherelinuxips.readthedocs.io/en/develop/
What We Are Particularly Excited About
In this release we are particularly excited about these new Slips features:
Add an option to store the zeek log files inside the output dir
Add support for suricata ssh flows
Better detection of suspicious user agents
Detect DNS answers that have a blacklisted IP or CNAME
Detect ICMP scans in netflow files
Don't alert ARP scans from the gateway
Keep track of profiles' past threat levels
Kill all modules after 15 mins to trying to stop them
Kill slips on when redis ConnectionError occurs
Make rotating zeek files configurable. how many days you want to keep the rotated files and how often to rotate
Remove support for VT hash lookups to save quota
Support looking up hashes and domains in URLhaus
Support looking up hashes in Circl.lu
Support looking up IPs in Spamhaus
Support running slips on a growing zeek dir. for example a zeek dir of an interface.
whitelist top tranco top 10k domains for fewer false positive alerts
More new features
We are constantly improving Slips, and a full list of changes in this last version is available in the Slips changelog. These are some of the new fixes that we have been working on:
Fix false positive connection without DNS
Fix importing and exporting to warden servers
Fix P2P
Fix problem detecting SSH logins by zeek
Fix reading zeek tab files
Fix saving the redis database
Fix vertical portscan detections by zeek
Fix zeek rotating files on ctrl+c
Check Our Slips Demo
Get a quick overview of what Slips is about and all its capabilities in this demo presented at the LCN conference in 2021.
And the analysis of several malicious PCAPs using Slips: https://stratospherelinuxips.readthedocs.io/en/develop/slips_in_action.html
Get in Touch
Feel free to join our Discord server and ask questions, suggest new features or give us feedback. PRs and Issues are welcomed in our repo.