Recent Releases of stratospherelinuxips

stratospherelinuxips - v1.1.13

Add detection for DNS answers of malicious DNS queries.
Add support for Zeek v8.0.0.
Speed up evidence processing in Slips.
Update Python dependencies.

- Python
Published by AlyaGomaa 9 months ago

stratospherelinuxips - v1.1.12

Better filtering of attacks in the ARP poisoner filter.
Cache ARP scan results to avoid flooding the network with ARP packets.
Exclude poisoning the gateway using the ARP poisoner.
Increase the delay between ARP poisoning attempts to avoid flooding the network.
Local P2P trust model improvements.

- Python
Published by AlyaGomaa 10 months ago

stratospherelinuxips - v1.1.11

Fix the local P2P trust model.
Fix SQLite cursor errors.
Avoid setting an alert about own IP and other Slips peers when ARP poisoning attackers.

- Python
Published by AlyaGomaa 11 months ago

stratospherelinuxips - v1.1.10

Add support for unblocking attackers using IPtables after a probation period.
Add support for blocking attackers using ARP poisoning.
Improve how the gateway IP and MAC are detected.
Support running Slips as an AP to block attackers in the RPI.

- Python
Published by AlyaGomaa about 1 year ago

stratospherelinuxips - v1.1.9

Add bootstrapping node mode for the global P2P. Thanks to @d-strat
Add support for ARM64 architecture in Docker images.
Fix issues getting domain registrants.
Fix the "Database is locked" SQLite error.
Fix the issue of Slips hanging when shutting down.
Ignore URLs when found in threat intelligence feeds.
Improve handling of Zeek tab-separated log files. Logs from Zeek old versions are now read correctly.
Optimize IP Info module.
Print flows processed per minute in the stats printed to the CLI.
Support reading labeled Zeek logs and using their labels in Slips modules.

- Python
Published by AlyaGomaa about 1 year ago

stratospherelinuxips - v1.1.8

Fix SQLite database errors.
Fix CPU and RAM profilers.
Fix the issue with AsyncModules not shutting down gracefully.

- Python
Published by AlyaGomaa about 1 year ago

stratospherelinuxips - v1.1.7

Add global P2P support. Thanks to @d-strat
Add new "GRE tunnel scan" detections.
Add the option to enable/disable local and online whitelists from slips.yaml.
Fix false positive "Connection to a private IP outside of local network" detection. Slips now doesn't alert on DNS servers outside of local network.
Fix false positive "Connection to a private IP" detection when the connection is DHCP.
Fix false positive "Device changing IP" detection alerting about special IPs.
Fix false positive "Invalid DNS answer" detection alerting about .arpa domains.
Fix false positive "non-HTTP established connection on port 80".
Fix false positive "non-SSL established connection on port 443".
Improve "Connection to unknown port" detections. Now the threat level depends on the flow state.
Improve "DNS without connection" evidence. Slips now only detects when the query type is A or AAAA.
Improve the description of malicious flow by MLflowdetection module.
Improve the detections of the MLflowdetection module.
Improve the existing "GRE tunnel" detections.
Improve whitelists: Slips is now whitelisting CNAME, SNI, related queries, and DNS resolutions of attackers and victims.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.6

3x speedup of the profiler process responsible for analyzing the given flows.
Fix false positive "connection without DNS" detection.
Fix false positive "DNS without connection" detection.
Fix problem parsing Suricata DNS flows.
Fix problem using threat intelligence feeds from cache even if they are not present in the given config file.
Fix regex warning when starting Slips. Special thanks to @Sekhar-Kumar-Dash.
Fix Tranco whitelists.
Improve "Incompatible CN" detection.
Improve "Invalid DNS answer" detection.
Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.
Improve whitelisting by checking if the SNI of each evidence is whitelisted or not.
Update the license used.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.5

200x times speedup of domain lookups in the threat intelligence module.
Add a threat level and confidence to each alert.
Add evidence for CN and hostname mismatch in SSL flows.
Add multiple telnet reconnection attempts detection.
Add support to IP ranges as the client_ip in slips.yaml
Alert "invalid DNS answer" on all private DNS answers.
Don't alert "high entropy TXT answers" for flows from multicast IPs.
Fix multiple reconnection attempts detection.
Fix problem downloading the latest MAC database from macvendors.com
Improve the detection of the Gateway IP and MAC when running on files and PCAPs.
Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.
Split the "connection to/from blacklisted IPs" detection into two different evidence with different threat levels.
Update Slips internal list of Apple known ports.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.4

Fix changing the used database in the web interface.
Reduce false positive evidence about malicious downloaded files.
Fix datetime errors when running on an interface.
Improve the detection of "DNS without connection".
Add support for a light Slips docker image.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.3

Enhance Slips shutdown process for smoother operations.
Optimize resource management in Slips, resolving issues with lingering threads in memory.
Remove the progress bar; Slips now provides regular statistical updates.
Improve unit testing—special thanks to @Sekhar-Kumar-Dash.
Drop support for macOS, P2P, and platform-specific Docker images. A unified Docker image is now available for all platforms.
Correct the number of evidence reported in statistics.
Fix incorrect end date reported in metadata/info.txt upon analysis completion.
Print more information to CLI on Slips startup, including network details, client IP, thresholds used, and more.
Reduce false positives from Spamhaus by looking up inbound traffic only.
Speed up horizontal port scan detections.
Enhance logging of IDMEF errors.
Resolve issues with the accumulated threat level reported in alerts.json.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.2

Add a relation between related evidence in alerts.json
Better unit tests. Thanks to @Sekhar-Kumar-Dash
Discontinued MacOS m1 docker images, P2p images, and slips dependencies image.
Fix the problem of the progress bar stopping before analysis is done, causing Slips to freeze when analyzing large PCAPs.
Improve how Slips recognizes the current host IP.
Increase the speed of the Flowalerts module by changing how Slips checks for DNS servers.
Major code improvements.
Remove redundant keys from the Redis database.
Remove unused keys from the Redis database.
Use IDMEFv2 format in alerts.json instead of IDEA0.
Wait for modules to finish 1 week by default.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1.1

Better unit tests. Thanks to @Sekhar-Kumar-Dash.
Fix Slips installation script at install/install.sh
Fix the issue of the flowalerts module not analyzing all given conn.log flows.
Fix the Zeek warning caused by one of the loaded Zeek scripts.
Improve how Slips validates domains taken from TI feeds.
Improve whitelists.
Update Python dependencies.
Better handling of connections to the Redis database.

- Python
Published by AlyaGomaa over 1 year ago

stratospherelinuxips - v1.1

Update Python version to 3.10.12 and all the Python libraries used by Slips.
Update nodejs and Zeek.
Improve the stopping of Slips. Modules now have more time to process flows.
Fix database unit tests overwriting redis configuration file.
New configuration file format, Slips is now using YAML thanks to @patel-lay.
Better unit tests. thanks to @Sekhar-Kumar-Dash.
GitHub workflow improvements.
Fix the RNN module and add a new model.
Horizontal port scan detection improvements.

- Python
Published by AlyaGomaa almost 2 years ago

stratospherelinuxips - v1.0.15

Add a Parameter to export strato letters to re-train the RNN model.
Better organization of flowalerts module by splitting it into many specialized files.
Better unit tests. thanks to @Sekhar-Kumar-Dash
Disable "Connection without DNS resolution" evidence to DNS servers.
Fix displaying "Failed" as the protocol name in the web interface when reading Suricata flows.
Fix problem reversing source and destination addresses in JA3 evidence description.
Improve CI by using more parallelization.
Improve non-SSL and non-HTTP detections by making sure that the sum of bytes sent and received is zero.
Improve RNN evidence description, now it's more clear which IP is the botnet, and which is the C&C server.
Improve some threat levels of evidence to reduce false positives.
Improve whitelists. Better matching, more domains added, reduced false positives.
More minimal Slips notifications, now Slips displays the alert description instead of all evidence in the alert.
The port of the web interface is now configurable in slips.conf

- Python
Published by AlyaGomaa almost 2 years ago

stratospherelinuxips - v1.0.14

Improve whitelists by better matching of ASNs, domains, and organizations.
Whitelist Microsoft, Apple, Twitter, Facebook, and Google alerts by default to reduce false positives.
Better unit tests. Thanks to @Sekhar-Kumar-Dash
Speed up port scan detections.
Fix the issue of overwriting Redis configuration file every run.
Add more info to metadata/info.txt for each run.

- Python
Published by AlyaGomaa about 2 years ago

stratospherelinuxips - v1.0.13

Whitelist alerts to all organizations by default to reduce false positives.
Improve and compress Slips Docker images.
Improve CI and add pre-commit hooks.
Fix problem reporting victims in alerts.json.
Better docs for the threat intelligence module.
Improve whitelists.
Better detection threshold to reduce false positives.
Better unit tests.
Fix problems stopping the daemon.

- Python
Published by AlyaGomaa about 2 years ago

stratospherelinuxips - v1.0.12

Add an option to specify the current client IP in slips.conf to help avoid false positives.
Better handling of URLhaus threat intelligence.
Change how slips determines the local network of the current client IP.
Fix issues with the progress bar.
Fix problem logging alerts and errors to alerts.log and erros.log.
Fix problem reporting evidence to other peers.
Fix problem starting the web interface.
Fix whitelists.
Improve how the evidence for young domain detections is set.
Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
Set evidence to all young domain IPs when a connection to a young domain is found.
Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
Use blacklist name instead of IP description in all evidence.
Use the latest Redis and NodeJS version in all docker images.

- Python
Published by AlyaGomaa about 2 years ago

stratospherelinuxips - v1.0.11

Improve the logging of evidence in alerts.json and alerts.log.
Optimize the storing of evidence in the Redis database.
Fix problem of missing evidence, now all evidence is logged correctly.
Fix problem adding flows to incorrect time windows.
Fix problem setting SSH version changing evidence.
Fix problem closing Redis ports using -k.
Fix problem closing the progress bar.
Fix problem releasing the terminal when Slips is done.

- Python
Published by AlyaGomaa over 2 years ago

stratospherelinuxips - v1.0.10

Faster ensembling of evidence.
Log accumulated threat levels of each evidence in alerts.json.
Better handling of the termination of the progress bar.
Re-add support for tensorflow to the dockers for macOS M1 and macOS M1 P2P.
Fix problem setting 'vertical portscan' evidence detected by Zeek.
Fix unable to do RDAP lookups
Fix stopping Slips daemon.

- Python
Published by AlyaGomaa over 2 years ago

stratospherelinuxips - v1.0.9

Fix using -k to kill opened Redis servers.
Better README and docs.
Improve URLhaus detections.
Improve the detection of vertical and horizontal portscans.
Unify disabled module names printed in the CLI.
Set the threat level reported to other peers to the max of threat levels seen in any time window.
Faster detections of devices changing IPs.
Remove the home_network feature from Slips.
Faster detection of alerts.
Fix the problem of not using 'command and control channel' evidence in the alert of each profile.

- Python
Published by AlyaGomaa over 2 years ago

stratospherelinuxips - v1.0.8

Use All-ID hash to fingerprint flows stored in the flows database.
Increase the weight of port scan alerts by increasing its threat level.
Fix false positive port scan alerts.
Add an option in slips.conf to wait for the update manager to update all TI feeds before starting Slips to avoid missing any blacklisted IPs evidence.
Fix error detecting password guessing.
Fix issues reading all flows when running on a low-spec device.
Improve the stopping of slips and termination of processes.
Improve the progress bar.
Fix reading flows from stdin.
Better code, logs, and unit tests.

- Python
Published by AlyaGomaa over 2 years ago

stratospherelinuxips - v1.0.7

CPU and memory profilers thanks to @danieltherealyang
Check DNS queries and answers for whitelisted IPs and domains.
Add AID flow hash to all conn.log flows, which is a combination of community_id and the flow's timestamp.
SQLite database improvements and better error handling.
Add support for exporting Slips alerts to a SQLite database .

- Python
Published by AlyaGomaa over 2 years ago

stratospherelinuxips - v1.0.6

Store flows in SQLite database in the output directory instead of Redis.
55% RAM usage decrease.
Support the labeling of flows based on Slips detections.
Add support for exporting labeled flows in JSON and tsv formats.
Code improvements. Change the structure of all modules.
Graceful shutdown of all modules thanks to @danieltherealyang
Print the number of evidence generated by Slips when running on PCAPs and interface.
Improved the detection of ports that belong to a specific organization.
Fix bugs in CYST module.
Fix URLhaus evidence description.
Fix the freezing progress bar issue.
Fix problem starting Slips in docker in Linux.
Ignore ICMP scans if the flow has ICMP type 3
Improve our whitelist. Slips now checks for whitelisted attackers and victims in the generated evidence.
Add embedded documentation in the web interface thanks to @shubhangi013
Improved the choosing of random Redis ports using the -m parameter.

- Python
Published by AlyaGomaa almost 3 years ago

stratospherelinuxips - v1.0.5

Fix missing flows due to modules stopping before the processing is done.
Code improvements. Change the structure of all modules.
Fix how we detect vertical and horizontal port scans.
Update the whitelist by adding all the IPs of whitelisted domains.
Fixed error whitelisting Unencrypted HTTP traffic.
Remove the feature of creating log directories using -l, now the only logs Slips generates are stored in the output/ directory.
Added support for reading flows from any module, not just the input process, using --input-module.
CYST module improvements.
Detect invalid DNS answers when querying ad servers. thanks to @ganesh-dagadi .
Update Slips known ports.
Prevent model.bin and scaler.bin from changing in test mode. thanks to @haleelsada.
Use either 'ip neigh show' or 'arp -an' to get gateway MAC from the host's ARP table. thanks to @naturalnetworks.

- Python
Published by AlyaGomaa about 3 years ago

stratospherelinuxips - v1.0.4

Add more descriptive titles to VT scores in the web UI thanks to @shubhangi.
Add stratoletters documentation, thanks to @haleelsada.
Add the detection of GRE tunnels.
Auto publish our MacOS Docker image when there's a new release, thanks to @pjflux2001
Detect malicious JARM hashes when there's a C&C alert and add our own malicious JARM hashes TI file.
Fix error getting IP confidence in P2P module.
Fix false positive alerts about "connection to private IP" thanks to @Onyx2406.
Fix problem killing all modules before the TI module stops.
Fix problem detecting vertical and horizontal port scans.
Improved CLI progress bar and status updates.
Keep a history of the past user-agents by @haleelsada.
More descriptive evidence.
Refactor code thanks to @danieltherealyang.
Update Slips default whitelist.
Web UI highlighting, new icons, and bug fixes.

- Python
Published by AlyaGomaa about 3 years ago

stratospherelinuxips - v1.0.3

Add HTTP unencrypted traffic detection by @haleelsada
use termcolor by @haleelsada
Instead of dos detection. slips is now detecting all executables thanks to @Onyx2406
Updated the docs for contributing
Fix Leak detector errors when a different version of YARA is used.
fix problem with counting the number of flows to be processed in the progress bar
Remove debugging prints printed by the whois python library to stderr

- Python
Published by AlyaGomaa about 3 years ago

stratospherelinuxips - v1.0.2

Add a blocking indicator in alerts.json
Add a progress bar to slips showing the number of processed flows
Add a zeek script to recognize the gateway IP and add it to notice.log
Add the option to display all evidence in a profile
Add the option to view blocked profiles only in the web interface
Add the uids that caused evidence to the evidence description in alerts.json
Code optimizations
Don't alert "Connection to Private IP" when there's a DNS connection on port 53 UDP to the gateway
Faster reading of netflow and suricata files
Kill web interface on ctrl+c
Support ASNs in our ownmaliciousiocs.csv file
Update slips default whitelist
Use the current user's timezone in alerts.log and alets.json
Fix caching ASN ranges
Fix displaying alerts of profile in the webinterface
Fix error parsing AIP TI list.
Fix having duplicate alerts
Fix problem displaying data from the DB in the web interface
Fix searching in the web interface
Fix vertical and horizontal portscan errors
Fix wrong Source/Target type in alerts.json

- Python
Published by AlyaGomaa over 3 years ago

stratospherelinuxips - v1.0.1

fix FP horizontal portscans caused by zeek flipping connections
Fix Duplicate evidence in multiple alerts
Fix FP urlhaus detetcions, now we use it to check urls only, not domains.
Fix md5 urlhaus lookups
add support for sha256 hashes in files.log generated by zeek
Add detection of weird HTTP methods
Fix race condition trying to update TI files when running multiple slips instances
Fix having multiple port scan alerts with the same timestamp
Add detection for non-SSL connections on port 443
Add detection for non-HTTP connections on port 80
P2P can now work without adding the p2p4slips binary to PATH
Add detection for connections to private IPs from private IPs
Add detection of high entropy DNS TXT answers
Add detection of connections to/from IPs outside the used local network.
Add detection for DHCP scans
Add detection for devices changing IPs.
Support having IP ranges in your own local TI file ownmaliciousiocs.csv
Remove rstcloud TI file from slips.conf
Add the option to change pastebin download detection threshold in slips.conf
Add the option to change shannon entropy threshold detection threshold in slips.conf
Store zeek files in the output directory by default
Portscan detector is now called network service discovery
Move all TI feeds to their separate files in the config/ directory for easier use
Add the option to start slips web interface automatically using -w
Fix multiple SSH client versions detection
Add detection of IPs using multiple SSH server versions
Wait 30 mins before the first connection without DNS evidence
Optimize code and performance
Update Kalispo dependencies to use more secure versions
Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100iocip_latest.json

- Python
Published by AlyaGomaa over 3 years ago

stratospherelinuxips - v1.0.0

Add -g option for running slips on growing zeek dirs. (for example dirs generated by zeek running on an interface)
Add a new log file p2p_reports.log, for logging peer reports only
Add Detection of SSH password guessing by slips in addition to zeek
Add Dockerfiles for MacOS M1
Add support for hosts outside of the network in zeek generated software.log
Alerts now contain attacks done by the profile only (excluding those done to the profile)
Blacklist IP used by blackmatter for exfiltration in config/ownmaliciousiocs
Change colors and CLI evidence format
Create profiles for all IPs by default (source and destination IPs)
Create profiles for all ips reported by peers
Detect empty connections to duckduckgo used by blackmatter for checking internet connection
Don't detect 'connection without dns' when running on an interface except for when it's done by your own IP
Don't force kill all modules when using -P
Don't stop slips when p2p is enabled but slips is given a file, not an interface.
Fix P2P and ubutnu-image Dockerfiles
Fix pastebin downloads detection to include HTTPs too
Ignore NXDOMAINs dns resolution when checking for 'dns without resolutions'
Keep track of old peer reports about the same ip
Make sure the domains that are part of DGA alerts are not whitelisted
Set evidence for each p2p report in the attackers profile
Take p2p reports into consideration when deciding to block an IP

- Python
Published by AlyaGomaa over 3 years ago

stratospherelinuxips - v0.9.6

Add an option to store the zeek log files inside the output dir
Add support for suricata ssh flows
Better detection of suspicious user agents
Detect DNS answers that have a blacklisted IP or CNAME
Detect ICMP scans in netflow files
Don't alert ARP scans from the gateway
Keep track of profiles' past threat levels
Kill all modules after 15 mins to trying to stop them
Kill slips on when redis ConnectionError occurs
Make rotating zeek files configurable. how many days you want to keep the rotated files and how often to rotate
Remove support for VT hash lookups to save quota
Support looking up hashes and domains in URLhaus
Support looking up hashes in Circl.lu
Support looking up IPs in Spamhaus
Support running slips on a growing zeek dir. for example a zeek dir of an interface.
whitelist top tranco top 10k domains for fewer false positive alerts
Fix false positive connection without DNS
Fix importing and exporting to warden servers
Fix P2P
Fix problem detecting SSH logins by zeek
Fix reading zeek tab files
Fix saving the redis database
Fix vertical portscan detections by zeek
Fix zeek rotating files on ctrl+c

- Python
Published by AlyaGomaa over 3 years ago

stratospherelinuxips - v0.9.5

Fix the way we update TI files
Add a new web interface
Detect Incompatible certificate CN
Detect downloads from pastebin with size > 0.012 MBs
Detect DOS executable downloads from http websites
Update the mac database automatically
Support using multiple home network parameters in slips.conf
Add redis.conf for special redis configurations when running slips
Improve portscan or ARP scan alerts
Improve ARPA scan alerts to alert on unique domains
Add new methods to detect data upload
Add the option to close all redis servers when slips can't start because all port are unavailable
Remove support for whitelisting an unsupported org by slips
Better description of alerts exported to Slack
Faster Whitelists
Whitelist connections made by slips causing false positives
Change the unknown ports detections to detect only established connections
Change -killall argument behaviour. now supports closing a specific redis port or all of them at once
Fix exporting module
Fix false positive resolution without connection alerts
Fix disabling alerts
Fix saving and loading the database
Fix running several slips instances
Fix stopping the daemon with -S
Fix how packets are calculated in portscan detections
Fix 'multiple reconnections attempts' detection to detect 5 or more rejected reconnection attempts to the same IP on the same destination port

- Python
Published by AlyaGomaa almost 4 years ago

stratospherelinuxips - v0.9.3

Slips v0.9.3

Run multiple slips instances on demand using (-m), and use redis port 6379 by default.
Fix false positive 'DNS resolution without connection' alerts
Faster Slips and reduced memory and CPU consumption
Better 'unknown ports' detections
Faster reading of local TI files
Fix docker not working in macOS
Fix problem generating the data upload alerts
Improve contributing guidelines
Update microsoft whitelisted IP ranges
Fix problem stopping input process when slips stops
Update the locations of GeoIP database in zeek for better zeek detections
Fix P2P output dir, now it's the same as alerts.log and slips.log
Update our usage of macvendors.com API
Whitelist the connections made by slips, so now you won't be alerted when Slips is using virustotal.com or macvendors.com

- Python
Published by AlyaGomaa almost 4 years ago

stratospherelinuxips - v0.9.2

Slips v0.9.2

Add a MacOS dockerfile to be able run Docker in MacOS
Fix saving the database in MacOS and Linux
Fix problem updating TI files
Fix problem starting and stopping the Daemon
Fix false positive ARP MITM attacks
Fix problem stopping slips when using whitelists
Fix problem opening unused redis ports

- Python
Published by AlyaGomaa almost 4 years ago

stratospherelinuxips - v0.9.1

Slips v0.9.1:

Drop root privileges in modules that don't need them
Added support for running slips in the background as a daemon
Fix the issue of growing zeek logs by deleting old zeek logs every 1 day. (optional but enabled by default)
Added support for running several instances of slips at the same time.
Saving and loading the db in macos
Fix reading flows from stdin, now it supports zeek, argus and suricata
Faster Startup of slips, now slips updates the TI files in the background
Added slips.log where all Slips logs goes. in daemon and interactive mode
Automatic starting of redis servers (cache and main databases).
Added a new TI file https://hole.cert.pl/domains/domains.json
Update the docs and added instructions for contributing and creating a new module

- Python
Published by AlyaGomaa almost 4 years ago