Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system. 

Quick links:

• Download Slips from our GitHub repository: https://github.com/stratosphereips/StratosphereLinuxIPS

• Access Slips documentation through Read the Docs: https://stratospherelinuxips.readthedocs.io/en/develop/

What We Are Particularly Excited About

In this release we are particularly excited about these new Slips features:

• Add detection for connections to private IPs from private IPs

• Add detection for devices changing IPs.

• Add detection for DHCP scans

• Add detection for non-HTTP connections on port 80

• Add detection for non-SSL connections on port 443

• Add detection of connections to/from IPs outside the used local network.

• Add detection of high entropy DNS TXT answers 

• Add detection of IPs using multiple SSH server versions

• Add detection of weird HTTP methods

• add support for sha256 hashes in files.log generated by zeek  

• Add the option to change pastebin download detection threshold in slips.conf

• Add the option to change shannon entropy threshold detection threshold in slips.conf

• Add the option to start slips web interface automatically using -w

• Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json

More new features

We are constantly improving Slips, and a full list of changes in this last version is available in the Slips changelog. These are some of the new fixes that we have been working on:

• Fix Duplicate evidence in multiple alerts

• Fix FP horizontal portscans caused by zeek flipping connections

• Fix FP urlhaus detetcions, now we use it to check urls only, not domains.

• Fix having multiple port scan alerts with the same timestamp

• Fix md5 urlhaus lookups

• Fix multiple SSH client versions detection

• Fix race condition trying to update TI files when running multiple slips instances 

• Move all TI feeds to their separate files in the config/ directory for easier use

• Optimize code and performance

• P2P can now work without adding the p2p4slips binary to PATH

• Portscan detector is now called network service discovery

• Store zeek files in the output directory by default

• Support having IP ranges in your own local TI file own_malicious_iocs.csv

• Update Kalispo dependencies to use more secure versions

• Wait 30 mins before the first “connection without DNS” evidence

Check Our Slips Demo 

Get a quick overview of what Slips is about and all its capabilities in this demo presented at the LCN conference in 2021.

And the analysis of several malicious PCAPs using Slips: https://stratospherelinuxips.readthedocs.io/en/develop/slips_in_action.html 

Get in Touch

Feel free to join our Discord server and ask questions, suggest new features or give us feedback. PRs and Issues are welcomed in our repo.