Skip to content

Releases: stratosphereips/StratosphereLinuxIPS

v1.1.4

29 Nov 14:01
fb6478e
Compare
Choose a tag to compare
  • Fix changing the used database in the web interface.
  • Reduce false positive evidence about malicious downloaded files.
  • Fix datetime errors when running on an interface.
  • Improve the detection of "DNS without connection".
  • Add support for a light Slips docker image.

v1.1.3

31 Oct 13:29
6e6bc6f
Compare
Choose a tag to compare
  • Enhance Slips shutdown process for smoother operations.
  • Optimize resource management in Slips, resolving issues with lingering threads in memory.
  • Remove the progress bar; Slips now provides regular statistical updates.
  • Improve unit testing—special thanks to @Sekhar-Kumar-Dash.
  • Drop support for macOS, P2P, and platform-specific Docker images. A unified Docker image is now available for all platforms.
  • Correct the number of evidence reported in statistics.
  • Fix incorrect end date reported in metadata/info.txt upon analysis completion.
  • Print more information to CLI on Slips startup, including network details, client IP, thresholds used, and more.
  • Reduce false positives from Spamhaus by looking up inbound traffic only.
  • Speed up horizontal port scan detections.
  • Enhance logging of IDMEF errors.
  • Resolve issues with the accumulated threat level reported in alerts.json.

v1.1.2

30 Sep 15:17
Compare
Choose a tag to compare
  • Add a relation between related evidence in alerts.json
  • Better unit tests. Thanks to @Sekhar-Kumar-Dash
  • Discontinued MacOS m1 docker images, P2p images, and slips dependencies image.
  • Fix the problem of the progress bar stopping before analysis is done, causing Slips to freeze when analyzing large PCAPs.
  • Improve how Slips recognizes the current host IP.
  • Increase the speed of the Flowalerts module by changing how Slips checks for DNS servers.
  • Major code improvements.
  • Remove redundant keys from the Redis database.
  • Remove unused keys from the Redis database.
  • Use IDMEFv2 format in alerts.json instead of IDEA0.
  • Wait for modules to finish 1 week by default.

v1.1.1

04 Sep 12:58
47e59b8
Compare
Choose a tag to compare
  • Better unit tests. Thanks to @Sekhar-Kumar-Dash.
  • Fix Slips installation script at install/install.sh
  • Fix the issue of the flowalerts module not analyzing all given conn.log flows.
  • Fix the Zeek warning caused by one of the loaded Zeek scripts.
  • Improve how Slips validates domains taken from TI feeds.
  • Improve whitelists.
  • Update Python dependencies.
  • Better handling of connections to the Redis database.

v1.1

31 Jul 20:54
d5763dd
Compare
Choose a tag to compare
  • Update Python version to 3.10.12 and all the Python libraries used by Slips.
  • Update nodejs and Zeek.
  • Improve the stopping of Slips. Modules now have more time to process flows.
  • Fix database unit tests overwriting redis configuration file.
  • New configuration file format, Slips is now using YAML thanks to @patel-lay.
  • Better unit tests. thanks to @Sekhar-Kumar-Dash.
  • GitHub workflow improvements.
  • Fix the RNN module and add a new model.
  • Horizontal port scan detection improvements.

v1.0.15

14 Jun 11:49
fb4246d
Compare
Choose a tag to compare
  • Add a Parameter to export strato letters to re-train the RNN model.
  • Better organization of flowalerts module by splitting it into many specialized files.
  • Better unit tests. thanks to @Sekhar-Kumar-Dash
  • Disable "Connection without DNS resolution" evidence to DNS servers.
  • Fix displaying "Failed" as the protocol name in the web interface when reading Suricata flows.
  • Fix problem reversing source and destination addresses in JA3 evidence description.
  • Improve CI by using more parallelization.
  • Improve non-SSL and non-HTTP detections by making sure that the sum of bytes sent and received is zero.
  • Improve RNN evidence description, now it's more clear which IP is the botnet, and which is the C&C server.
  • Improve some threat levels of evidence to reduce false positives.
  • Improve whitelists. Better matching, more domains added, reduced false positives.
  • More minimal Slips notifications, now Slips displays the alert description instead of all evidence in the alert.
  • The port of the web interface is now configurable in slips.conf

v1.0.14

15 May 13:33
3a1ca1c
Compare
Choose a tag to compare
  • Improve whitelists by better matching of ASNs, domains, and organizations.
  • Whitelist Microsoft, Apple, Twitter, Facebook, and Google alerts by default to reduce false positives.
  • Better unit tests. Thanks to @Sekhar-Kumar-Dash
  • Speed up port scan detections.
  • Fix the issue of overwriting Redis configuration file every run.
  • Add more info to metadata/info.txt for each run.

v1.0.13

16 Apr 15:30
5dcbb7c
Compare
Choose a tag to compare
  • Whitelist alerts to all organizations by default to reduce false positives.
  • Improve and compress Slips Docker images.
  • Improve CI and add pre-commit hooks.
  • Fix problem reporting victims in alerts.json.
  • Better docs for the threat intelligence module.
  • Improve whitelists.
  • Better detection threshold to reduce false positives.
  • Better unit tests.
  • Fix problems stopping the daemon.

v1.0.12

15 Mar 15:53
d697955
Compare
Choose a tag to compare
  • Add an option to specify the current client IP in slips.conf to help avoid false positives.
  • Better handling of URLhaus threat intelligence.
  • Change how slips determines the local network of the current client IP.
  • Fix issues with the progress bar.
  • Fix problem logging alerts and errors to alerts.log and erros.log.
  • Fix problem reporting evidence to other peers.
  • Fix problem starting the web interface.
  • Fix whitelists.
  • Improve how the evidence for young domain detections is set.
  • Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
  • Set evidence to all young domain IPs when a connection to a young domain is found.
  • Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
  • Use blacklist name instead of IP description in all evidence.
  • Use the latest Redis and NodeJS version in all docker images.

v1.0.11

15 Feb 18:02
7409d01
Compare
Choose a tag to compare
  • Improve the logging of evidence in alerts.json and alerts.log.
  • Optimize the storing of evidence in the Redis database.
  • Fix problem of missing evidence, now all evidence is logged correctly.
  • Fix problem adding flows to incorrect time windows.
  • Fix problem setting SSH version changing evidence.
  • Fix problem closing Redis ports using -k.
  • Fix problem closing the progress bar.
  • Fix problem releasing the terminal when Slips is done.