Description
While running intercept on my traffic with -p, I cannot escape the shell. I have to wait to be able to CTRL+C again to kill it, and it kills the whole docker process. While waiting to be able to escape, this is the docker CPU usage:
There is no output after step 7, the process just ends. Aftet that, i cannot start new container (step 2) and I have to restart dockerhub. There is an error in dockerhub before restarting.
Steps to reproduce the behavior:
- Go to branch master
- (From Powershell on windows) Run docker run -it --rm --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest
- While inside, run ./slips.py -i eth0 -p
- When SLIPS is fully running, end with CTRL+C
- Blocked shell, cant do anything
- wait a while (20 mins?)
- CTRL+C again to kill the process (kills the docker with it)
Shell output
root@docker-desktop:/StratosphereLinuxIPS# ./slips.py -i eth0 -p
Slips Version: 1.1.10
https://stratosphereips.org
[Main] Storing Slips logs in output/eth0_2025-07-11_08:40:05/
[Main] Detected host IP: 192.168.65.3
[Main] Using redis server on port: 6379
Started Main process [PID 309]
Starting modules
Starting the module ARP Poisoner (ARP poisons attackers to isolate them from the network.) [PID 331]
Starting the module Blocking (Block malicious IPs connecting to this device) [PID 343]
Starting the module ARP (Detect ARP attacks) [PID 345]
Starting the module Flow Alerts (Alerts about flows: long connection, successful ssh, password guessing, self-signed certificate, data exfiltration, etc.) [PID 347]
Starting the module Flow ML Detection (Train or test a Machine Learning model to detect malicious flows) [PID 349]
Starting the module HTTP Analyzer (Analyze HTTP flows) [PID 350]
Starting the module IP Info (Get different info about an IP/MAC address) [PID 351]
Starting the module Network Discovery (Detect Horizonal, Vertical, ICMP and DHCP Scans.) [PID 354]
Starting the module Risk IQ (Module to get passive DNS info about IPs from RiskIQ) [PID 355]
Starting the module RNN C&C Detection (Detect C&C channels based on behavioral letters) [PID 356]
Starting the module Threat Intelligence (Check if the source IP or destination IP are in a malicious list of IPs) [PID 374]
Starting the module Timeline (Creates kalipso timeline of what happened in the network based on flows and available data) [PID 376]
WARNING:absl:Compiled the loaded model, but the compiled metrics have yet to be built. model.compile_metrics will be empty until you train or evaluate the model.
Starting the module Update Manager (Update Threat Intelligence files) [PID 377]
Starting the module Virustotal (IP, domain and file hash lookup on Virustotal) [PID 378]
[Main] Disabled Modules: ['template', 'exporting_alerts', 'p2ptrust', 'fidesModule', 'irisModule', 'cesnet', 'leak_detector', 'cyst']
Started Evidence Process [PID 379]
[EvidenceHandler] Using threshold: 0.25
Started Profiler Process [PID 380]
[Main] Metadata added to output/eth0_2025-07-11_08:40:05/metadata
Started Input Process [PID 384]
[Input] Storing zeek log files in output/eth0_2025-07-11_08:40:05/zeek_files
[Main] Warning: Slips may generate a large amount of traffic by querying TI sites.
[Profiler] Used local network: 192.168.65.0/24
[Main] Detected gateway IP: 192.168.65.1
[Main] Detected gateway MAC: 5a:94:ef:e4:0c:dd
[Blocking] Blocked all traffic from: 192.168.65.1ence: 53. Number of IPs seen in the last (1 hr): 3. Analyzed 36 flows/min.
After DG is blocked 192.168.65.1 the process seems to stop for me? there are no updates in the CLI after that, so maybe that is the reason for the blocking? Before that, number of flows captured is updating and the command line is responding. See how the last line in the shell output is malformed. If I CTRL+C before the blocking of the address, then SLIPS ends normally, stopping all of the modules and exiting.
Branch
Master
Environment:
- OS: Windows 11 Education
- Python version: 3.12.2
- Are you running slips in docker or locally? Yes, Docker
- Docker version: 28.3.0, build 38b7060
- Commit hash: 31e689d