Merge pull request #459 from stratosphereips/develop

Slips v1.0.11

Author: AlyaGomaa

CHANGELOG.md

@@ -1,3 +1,13 @@
+- 1.0.11 (February 2024)
+- Improve the logging of evidence in alerts.json and alerts.log.
+- Optimize the storing of evidence in the Redis database.
+- Fix problem of missing evidence, now all evidence is logged correctly.
+- Fix problem adding flows to incorrect time windows.
+- Fix problem setting SSH version changing evidence.
+- Fix problem closing Redis ports using -k.
+- Fix problem closing the progress bar.
+- Fix problem releasing the terminal when Slips is done.
+
 - 1.0.10 (January 2024)
 - Faster ensembling of evidence.
 - Log accumulated threat levels of each evidence in alerts.json.

README.md

@@ -1,5 +1,5 @@
 <h1 align="center"> 
-Slips v1.0.10
+Slips v1.0.11
 </h1>
 
 
@@ -125,7 +125,7 @@ or our command-line based interface Kalipso
 
 ##### Web interface
 
-    ./webinteface.sh
+    ./webinterface.sh
 
 Then navigate to ```http://localhost:55000/``` from your browser.
 

VERSION

@@ -1 +1 @@
-1.0.10
+1.0.11

config/slips.conf

@@ -345,24 +345,25 @@ receive_delay = 86400
 # All the following detections are turned on by default
 # Turn them off by adding any of the following detections to the disabled_detections list
 
-# ARPScan, ARP-outside-localnet, UnsolicitedARP, MITM-ARP-attack, SSHSuccessful,
-# LongConnection, MultipleReconnectionAttempts,
-# ConnectionToMultiplePorts, InvalidCertificate, UnknownPort, Port0Connection,
-# ConnectionWithoutDNS, DNSWithoutConnection,
-# MaliciousJA3, DataExfiltration, SelfSignedCertificate, VerticalPortscan,
-# HorizontalPortscan, Password_Guessing, MaliciousFlow,
-# SuspiciousUserAgent, multiple_google_connections, NETWORK_gps_location_leaked,
-# Command-and-Control-channels-detection, InvalidCertificate
-# ThreatIntelligenceBlacklistDomain, ThreatIntelligenceBlacklistIP,
-# ThreatIntelligenceBlacklistedASN, MaliciousDownloadedFile,
- # DGA, MaliciousSSLCert, YoungDomain, MultipleSSHVersions
-# DNS-ARPA-Scan, SMTPLoginBruteforce, BadSMTPLogin,
-# IncompatibleUserAgent, ICMP-Timestamp-Scan, ICMP-AddressScan, ICMP-AddressMaskScan
-# EmptyConnections, IncompatibleCN, PastebinDownload, ExecutableMIMEType
-# MultipleUserAgent, DifferentLocalnet, ConnectionToPrivateIP, HTTPtraffic
-# InvalidDNSResolution
-
-# disabled_detections = [ConnectionToMultiplePorts, PortScanType1]
+# ARP_SCAN, ARP_OUTSIDE_LOCALNET, UNSOLICITED_ARP, MITM_ARP_ATTACK,
+# YOUNG_DOMAIN, MULTIPLE_SSH_VERSIONS, DIFFERENT_LOCALNET,
+# DEVICE_CHANGING_IP, NON_HTTP_PORT_80_CONNECTION, NON_SSL_PORT_443_CONNECTION,
+# WEIRD_HTTP_METHOD, INCOMPATIBLE_CN, DGA_NXDOMAINS, DNS_WITHOUT_CONNECTION,
+# PASTEBIN_DOWNLOAD, CONNECTION_WITHOUT_DNS, DNS_ARPA_SCAN, UNKNOWN_PORT,
+# PASSWORD_GUESSING, HORIZONTAL_PORT_SCAN, CONNECTION_TO_PRIVATE_IP, GRE_TUNNEL,
+# VERTICAL_PORT_SCAN, SSH_SUCCESSFUL, LONG_CONNECTION, SELF_SIGNED_CERTIFICATE,
+# MULTIPLE_RECONNECTION_ATTEMPTS, CONNECTION_TO_MULTIPLE_PORTS, HIGH_ENTROPY_DNS_ANSWER,
+# INVALID_DNS_RESOLUTION, PORT_0_CONNECTION, MALICIOUS_JA3, MALICIOUS_JA3S,
+# DATA_UPLOAD, BAD_SMTP_LOGIN, SMTP_LOGIN_BRUTEFORCE, MALICIOUS_SSL_CERT,
+# MALICIOUS_FLOW, SUSPICIOUS_USER_AGENT, EMPTY_CONNECTIONS, INCOMPATIBLE_USER_AGENT,
+# EXECUTABLE_MIME_TYPE, MULTIPLE_USER_AGENT, HTTP_TRAFFIC, MALICIOUS_JARM,
+# NETWORK_GPS_LOCATION_LEAKED, ICMP_TIMESTAMP_SCAN, ICMP_ADDRESS_SCAN,
+#  ICMP_ADDRESS_MASK_SCAN, DHCP_SCAN, MALICIOUS_IP_FROM_P2P_NETWORK, P2P_REPORT,
+#  COMMAND_AND_CONTROL_CHANNEL, THREAT_INTELLIGENCE_BLACKLISTED_ASN,
+#  THREAT_INTELLIGENCE_BLACKLISTED_IP, THREAT_INTELLIGENCE_BLACKLISTED_DOMAIN,
+# MALICIOUS_DOWNLOADED_FILE, MALICIOUS_URL
+
+# disabled_detections = [THREAT_INTELLIGENCE_BLACKLISTED_IP, CONNECTION_TO_PRIVATE_IP]
 disabled_detections = []
 
 ####################

conftest.py

@@ -21,26 +21,29 @@
 
 
 @pytest.fixture
-def mock_rdb():
+def mock_db():
     # Create a mock version of the database object
     with patch('slips_files.core.database.database_manager.DBManager') as mock:
         yield mock.return_value
 
 def do_nothing(*arg):
-    """Used to override the print function because using the self.print causes broken pipes"""
+    """Used to override the print function because using the self.print causes
+    broken pipes"""
     pass
 
 @pytest.fixture
 def input_queue():
-    """This input_queue will be passed to all module constructors that need it"""
+    """This input_queue will be passed to all module constructors that need
+     it"""
     input_queue = Queue()
     input_queue.put = do_nothing
     return input_queue
 
 
 @pytest.fixture
 def profiler_queue():
-    """This profiler_queue will be passed to all module constructors that need it"""
+    """This profiler_queue will be passed to all module constructors that need
+    it"""
     profiler_queue = Queue()
     profiler_queue.put = do_nothing
     return profiler_queue

dataset/test14-malicious-zeek-dir/http.log

@@ -515,3 +515,7 @@
 {"ts":256.462234,"uid":"C6pigI2xhEcRM11ul5","id.orig_h":"10.0.2.15","id.orig_p":49422,"id.resp_h":"147.32.80.7","id.resp_p":80,"trans_depth":7,"method":"GET","host":"147.32.80.7","uri":"/wpad.dat","version":"1.1","request_body_len":0,"response_body_len":593,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["F9fIvwQnkVDaTbP3b"],"resp_mime_types":["text/plain"]}
 {"ts":256.472445,"uid":"ClMSbZVMEHMJrIUFg","id.orig_h":"10.0.2.15","id.orig_p":49421,"id.resp_h":"147.32.80.7","id.resp_p":80,"trans_depth":7,"method":"GET","host":"147.32.80.7","uri":"/wpad.dat","version":"1.1","request_body_len":0,"response_body_len":593,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FdmOWS7AXNlR2iaya"],"resp_mime_types":["text/plain"]}
 {"ts":256.550217,"uid":"C6ISUE3ZtRgrPYiTd","id.orig_h":"10.0.2.15","id.orig_p":49465,"id.resp_h":"54.239.168.175","id.resp_p":80,"trans_depth":1,"method":"GET","host":"x.ss2.us","uri":"/x.cer","version":"1.1","user_agent":"Microsoft-CryptoAPI/6.1","request_body_len":0,"response_body_len":1302,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FzV4Kl11UtKFOqcLf4"]}
+{"ts":256.550218,"uid":"CMbXf021RgZlvixHhd","id.orig_h":"10.0.2.15","id.orig_p":45760,"id.resp_h":"142.250.200.238","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":219,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["Faa9ZB2vezZSLlpr9l"],"resp_mime_types":["text/html"]}
+{"ts":256.550290,"uid":"CE2oyw2vkIR1JETHOb","id.orig_h":"10.0.2.15","id.orig_p":44476,"id.resp_h":"142.250.200.228","id.resp_p":80,"trans_depth":1,"method":"GET","host":"www.google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":20626,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FjQHUY3rnpA1s8PsEa"],"resp_mime_types":["text/html"]}
+{"ts":256.550291,"uid":"CE2oyw2vkIR1JETHOb","id.orig_h":"10.0.2.15","id.orig_p":44476,"id.resp_h":"142.250.200.228","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":20626,"status_code":200,"status_msg":"OK","tags":[],"resp_fuids":["FjQHUY3rnpA1s8PsEa"],"resp_mime_types":["text/html"]}
+{"ts":256.550295,"uid":"C9wOvkjAJynTX6uVi","id.orig_h":"10.0.2.15","id.orig_p":45770,"id.resp_h":"142.250.200.238","id.resp_p":80,"trans_depth":1,"method":"GET","host":"google.com","uri":"/","version":"1.1","user_agent":"Wget/1.21.2","request_body_len":0,"response_body_len":219,"status_code":301,"status_msg":"Moved Permanently","tags":[],"resp_fuids":["FG8Tka4NxZUyOunZuc"],"resp_mime_types":["text/html"]}