New Slips version 1.0.1 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system. 

Quick links:

• Download Slips from our GitHub repository: https://github.com/stratosphereips/StratosphereLinuxIPS

• Access Slips documentation through Read the Docs: https://stratospherelinuxips.readthedocs.io/en/develop/

What We Are Particularly Excited About

In this release we are particularly excited about these new Slips features:

• Add detection for connections to private IPs from private IPs

• Add detection for devices changing IPs.

• Add detection for DHCP scans

• Add detection for non-HTTP connections on port 80

• Add detection for non-SSL connections on port 443

• Add detection of connections to/from IPs outside the used local network.

• Add detection of high entropy DNS TXT answers 

• Add detection of IPs using multiple SSH server versions

• Add detection of weird HTTP methods

• add support for sha256 hashes in files.log generated by zeek  

• Add the option to change pastebin download detection threshold in slips.conf

• Add the option to change shannon entropy threshold detection threshold in slips.conf

• Add the option to start slips web interface automatically using -w

• Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json

More new features

We are constantly improving Slips, and a full list of changes in this last version is available in the Slips changelog. These are some of the new fixes that we have been working on:

• Fix Duplicate evidence in multiple alerts

• Fix FP horizontal portscans caused by zeek flipping connections

• Fix FP urlhaus detetcions, now we use it to check urls only, not domains.

• Fix having multiple port scan alerts with the same timestamp

• Fix md5 urlhaus lookups

• Fix multiple SSH client versions detection

• Fix race condition trying to update TI files when running multiple slips instances 

• Move all TI feeds to their separate files in the config/ directory for easier use

• Optimize code and performance

• P2P can now work without adding the p2p4slips binary to PATH

• Portscan detector is now called network service discovery

• Store zeek files in the output directory by default

• Support having IP ranges in your own local TI file own_malicious_iocs.csv

• Update Kalispo dependencies to use more secure versions

• Wait 30 mins before the first “connection without DNS” evidence

Check Our Slips Demo 

Get a quick overview of what Slips is about and all its capabilities in this demo presented at the LCN conference in 2021.

And the analysis of several malicious PCAPs using Slips: https://stratospherelinuxips.readthedocs.io/en/develop/slips_in_action.html 

Get in Touch

Feel free to join our Discord server and ask questions, suggest new features or give us feedback. PRs and Issues are welcomed in our repo.

Article Link: New Slips version 1.0.1 is here! — Stratosphere IPS