StratosphereLinuxIPS v1.0.9 releases: Stratosphere IPS for Linux
Stratosphere Linux IPS
This is the Linux version of the Stratosphere IPS, a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.
Architecture
The idea of slips is to focus on the machine learning part of the detection and not in capturing the network traffic. That is why the traffic is received from an external Argus instance. Argus captures the packets in the networks and makes them available to anyone connecting to the Argus port. Argus does not send the packets until somebody ask for them.
The basic architecture is to read the flows from an Argus instance using the ra tool and to send the flows to slips as standard input. This way of working is very good because we can analyze the traffic of our own computer, and also we can analyze the traffic of a remote network or any other computer where an Argus instance is running. Actually, if you run the Argus program in any Windows, Mac, or router, slips can analyze the traffic.
Features
This version of slips comes with the following features:
- If you execute slips without the
-m
parameter it will not detect any behavior in the network but just print the tuples (see the Stratosphere web page for more information). So actually you can also use slips to see what is happening in your network even without detection. - Use
-a
to restrict the minimum amount of letters that the tuples had to have to be considered for detection. The default is a minimum of 3 letters which is enough for having at least one periodic letter. - slips works by separating the traffic in time windows. This allows it to report to the user the detections in a fixed amount of time. The default time window is now 1 minute but you can change it with the parameter
-w
(a time window of five minutes is also recommended). (Warning: In the future we will update this to also consider the detection of IP addresses instead of tuples) - If you want to tell slips to actually try to detect something, you should specify
-m
to tell slips where to find the behavioral models. - The
-p
option tells slips to print the tuples that were detected. Even if the detection is working, without-p
the tuples are not printed. - If you want to be alerted of any detection without looking at the screen you can specify
-s
to have a sound alert. You need to install the pygames libraries. - If you want to avoid doing any detection you should use
-D
. - If you want to anonymize the source IP addresses before doing any processing, you can use
-A
. This will force all the source IPs to be hashed to MD5 in memory. Also, a file is created in the current folder with the relationship of original IP addresses and new hashed IP addresses. So you can later relate the detections.
Changelog v1.0.9
- Fix using -k to kill opened Redis servers.
- Better README and docs.
- Improve URLhaus detections.
- Improve the detection of vertical and horizontal portscans.
- Unify disabled module names printed in the CLI.
- Set the threat level reported to other peers to the max of threat levels seen in any time window.
- Faster detections of devices changing IPs.
- Remove the home_network feature from Slips.
- Faster detection of alerts.
- Fix the problem of not using ‘command and control channel’ evidence in the alert of each profile.