Skip to content

Commit

Permalink
Merge pull request #459 from stratosphereips/develop
Browse files Browse the repository at this point in the history
Slips v1.0.11
  • Loading branch information
AlyaGomaa authored Feb 15, 2024
2 parents dd5606a + 78366c8 commit 7409d01
Show file tree
Hide file tree
Showing 90 changed files with 7,442 additions and 5,641 deletions.
10 changes: 10 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,13 @@
- 1.0.11 (February 2024)
- Improve the logging of evidence in alerts.json and alerts.log.
- Optimize the storing of evidence in the Redis database.
- Fix problem of missing evidence, now all evidence is logged correctly.
- Fix problem adding flows to incorrect time windows.
- Fix problem setting SSH version changing evidence.
- Fix problem closing Redis ports using -k.
- Fix problem closing the progress bar.
- Fix problem releasing the terminal when Slips is done.

- 1.0.10 (January 2024)
- Faster ensembling of evidence.
- Log accumulated threat levels of each evidence in alerts.json.
Expand Down
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
<h1 align="center">
Slips v1.0.10
Slips v1.0.11
</h1>


Expand Down Expand Up @@ -125,7 +125,7 @@ or our command-line based interface Kalipso

##### Web interface

./webinteface.sh
./webinterface.sh

Then navigate to ```http://localhost:55000/``` from your browser.

Expand Down
2 changes: 1 addition & 1 deletion VERSION
Original file line number Diff line number Diff line change
@@ -1 +1 @@
1.0.10
1.0.11
37 changes: 19 additions & 18 deletions config/slips.conf
Original file line number Diff line number Diff line change
Expand Up @@ -345,24 +345,25 @@ receive_delay = 86400
# All the following detections are turned on by default
# Turn them off by adding any of the following detections to the disabled_detections list

# ARPScan, ARP-outside-localnet, UnsolicitedARP, MITM-ARP-attack, SSHSuccessful,
# LongConnection, MultipleReconnectionAttempts,
# ConnectionToMultiplePorts, InvalidCertificate, UnknownPort, Port0Connection,
# ConnectionWithoutDNS, DNSWithoutConnection,
# MaliciousJA3, DataExfiltration, SelfSignedCertificate, VerticalPortscan,
# HorizontalPortscan, Password_Guessing, MaliciousFlow,
# SuspiciousUserAgent, multiple_google_connections, NETWORK_gps_location_leaked,
# Command-and-Control-channels-detection, InvalidCertificate
# ThreatIntelligenceBlacklistDomain, ThreatIntelligenceBlacklistIP,
# ThreatIntelligenceBlacklistedASN, MaliciousDownloadedFile,
# DGA, MaliciousSSLCert, YoungDomain, MultipleSSHVersions
# DNS-ARPA-Scan, SMTPLoginBruteforce, BadSMTPLogin,
# IncompatibleUserAgent, ICMP-Timestamp-Scan, ICMP-AddressScan, ICMP-AddressMaskScan
# EmptyConnections, IncompatibleCN, PastebinDownload, ExecutableMIMEType
# MultipleUserAgent, DifferentLocalnet, ConnectionToPrivateIP, HTTPtraffic
# InvalidDNSResolution

# disabled_detections = [ConnectionToMultiplePorts, PortScanType1]
# ARP_SCAN, ARP_OUTSIDE_LOCALNET, UNSOLICITED_ARP, MITM_ARP_ATTACK,
# YOUNG_DOMAIN, MULTIPLE_SSH_VERSIONS, DIFFERENT_LOCALNET,
# DEVICE_CHANGING_IP, NON_HTTP_PORT_80_CONNECTION, NON_SSL_PORT_443_CONNECTION,
# WEIRD_HTTP_METHOD, INCOMPATIBLE_CN, DGA_NXDOMAINS, DNS_WITHOUT_CONNECTION,
# PASTEBIN_DOWNLOAD, CONNECTION_WITHOUT_DNS, DNS_ARPA_SCAN, UNKNOWN_PORT,
# PASSWORD_GUESSING, HORIZONTAL_PORT_SCAN, CONNECTION_TO_PRIVATE_IP, GRE_TUNNEL,
# VERTICAL_PORT_SCAN, SSH_SUCCESSFUL, LONG_CONNECTION, SELF_SIGNED_CERTIFICATE,
# MULTIPLE_RECONNECTION_ATTEMPTS, CONNECTION_TO_MULTIPLE_PORTS, HIGH_ENTROPY_DNS_ANSWER,
# INVALID_DNS_RESOLUTION, PORT_0_CONNECTION, MALICIOUS_JA3, MALICIOUS_JA3S,
# DATA_UPLOAD, BAD_SMTP_LOGIN, SMTP_LOGIN_BRUTEFORCE, MALICIOUS_SSL_CERT,
# MALICIOUS_FLOW, SUSPICIOUS_USER_AGENT, EMPTY_CONNECTIONS, INCOMPATIBLE_USER_AGENT,
# EXECUTABLE_MIME_TYPE, MULTIPLE_USER_AGENT, HTTP_TRAFFIC, MALICIOUS_JARM,
# NETWORK_GPS_LOCATION_LEAKED, ICMP_TIMESTAMP_SCAN, ICMP_ADDRESS_SCAN,
# ICMP_ADDRESS_MASK_SCAN, DHCP_SCAN, MALICIOUS_IP_FROM_P2P_NETWORK, P2P_REPORT,
# COMMAND_AND_CONTROL_CHANNEL, THREAT_INTELLIGENCE_BLACKLISTED_ASN,
# THREAT_INTELLIGENCE_BLACKLISTED_IP, THREAT_INTELLIGENCE_BLACKLISTED_DOMAIN,
# MALICIOUS_DOWNLOADED_FILE, MALICIOUS_URL

# disabled_detections = [THREAT_INTELLIGENCE_BLACKLISTED_IP, CONNECTION_TO_PRIVATE_IP]
disabled_detections = []

####################
Expand Down
11 changes: 7 additions & 4 deletions conftest.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,26 +21,29 @@


@pytest.fixture
def mock_rdb():
def mock_db():
# Create a mock version of the database object
with patch('slips_files.core.database.database_manager.DBManager') as mock:
yield mock.return_value

def do_nothing(*arg):
"""Used to override the print function because using the self.print causes broken pipes"""
"""Used to override the print function because using the self.print causes
broken pipes"""
pass

@pytest.fixture
def input_queue():
"""This input_queue will be passed to all module constructors that need it"""
"""This input_queue will be passed to all module constructors that need
it"""
input_queue = Queue()
input_queue.put = do_nothing
return input_queue


@pytest.fixture
def profiler_queue():
"""This profiler_queue will be passed to all module constructors that need it"""
"""This profiler_queue will be passed to all module constructors that need
it"""
profiler_queue = Queue()
profiler_queue.put = do_nothing
return profiler_queue
Expand Down
4 changes: 4 additions & 0 deletions dataset/test14-malicious-zeek-dir/http.log
Original file line number Diff line number Diff line change
Expand Up @@ -515,3 +515,7 @@
{"ts":256.462234,"uid":"C6pigI2xhEcRM11ul5","id.orig_h":"10.0.2.15","id.orig_p":49422,"id.resp_h":"147.32.80.7","id.resp_p":80,"trans_depth":7,"method":"GET","host":"147.32.80.7","uri":"/wpad.dat","version":"1.1","request_body_len":0,"response_body_len":593,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F9fIvwQnkVDaTbP3b"],"resp_mime_types":["text/plain"]}
{"ts":256.472445,"uid":"ClMSbZVMEHMJrIUFg","id.orig_h":"10.0.2.15","id.orig_p":49421,"id.resp_h":"147.32.80.7","id.resp_p":80,"trans_depth":7,"method":"GET","host":"147.32.80.7","uri":"/wpad.dat","version":"1.1","request_body_len":0,"response_body_len":593,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FdmOWS7AXNlR2iaya"],"resp_mime_types":["text/plain"]}
{"ts":256.550217,"uid":"C6ISUE3ZtRgrPYiTd","id.orig_h":"10.0.2.15","id.orig_p":49465,"id.resp_h":"54.239.168.175","id.resp_p":80,"trans_depth":1,"method":"GET","host":"x.ss2.us","uri":"/x.cer","version":"1.1","user_agent":"Microsoft-CryptoAPI/6.1","request_body_len":0,"response_body_len":1302,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FzV4Kl11UtKFOqcLf4"]}
{"ts":256.550218,"uid":"CMbXf021RgZlvixHhd","id.orig_h":"10.0.2.15","id.orig_p":45760,"id.resp_h":"142.250.200.238","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":219,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["Faa9ZB2vezZSLlpr9l"],"resp_mime_types":["text/html"]}
{"ts":256.550290,"uid":"CE2oyw2vkIR1JETHOb","id.orig_h":"10.0.2.15","id.orig_p":44476,"id.resp_h":"142.250.200.228","id.resp_p":80,"trans_depth":1,"method":"GET","host":"www.google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":20626,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FjQHUY3rnpA1s8PsEa"],"resp_mime_types":["text/html"]}
{"ts":256.550291,"uid":"CE2oyw2vkIR1JETHOb","id.orig_h":"10.0.2.15","id.orig_p":44476,"id.resp_h":"142.250.200.228","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":20626,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FjQHUY3rnpA1s8PsEa"],"resp_mime_types":["text/html"]}
{"ts":256.550295,"uid":"C9wOvkjAJynTX6uVi","id.orig_h":"10.0.2.15","id.orig_p":45770,"id.resp_h":"142.250.200.238","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":219,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FG8Tka4NxZUyOunZuc"],"resp_mime_types":["text/html"]}
Loading

0 comments on commit 7409d01

Please sign in to comment.