StratosphereLinuxIPS v0.9 releases: Stratosphere IPS for Linux
Stratosphere Linux IPS
This is the Linux version of the Stratosphere IPS, a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.
Architecture
The idea of slips is to focus on the machine learning part of the detection and not in capturing the network traffic. That is why the traffic is received from an external Argus instance. Argus captures the packets in the networks and makes them available to anyone connecting to the Argus port. Argus does not send the packets until somebody ask for them.
The basic architecture is to read the flows from an Argus instance using the ra tool and to send the flows to slips as standard input. This way of working is very good because we can analyze the traffic of our own computer, and also we can analyze the traffic of a remote network or any other computer where an Argus instance is running. Actually, if you run the Argus program in any Windows, Mac, or router, slips can analyze the traffic.
Features
This version of slips comes with the following features:
- If you execute slips without the
-m
parameter it will not detect any behavior in the network but just print the tuples (see the Stratosphere web page for more information). So actually you can also use slips to see what is happening in your network even without detection. - Use
-a
to restrict the minimum amount of letters that the tuples had to have to be considered for detection. The default is a minimum of 3 letters which is enough for having at least one periodic letter. - slips works by separating the traffic in time windows. This allows it to report to the user the detections in a fixed amount of time. The default time window is now 1 minute but you can change it with the parameter
-w
(a time window of five minutes is also recommended). (Warning: In the future we will update this to also consider the detection of IP addresses instead of tuples) - If you want to tell slips to actually try to detect something, you should specify
-m
to tell slips where to find the behavioral models. - The
-p
option tells slips to print the tuples that were detected. Even if the detection is working, without-p
the tuples are not printed. - If you want to be alerted of any detection without looking at the screen you can specify
-s
to have a sound alert. You need to install the pygames libraries. - If you want to avoid doing any detection you should use
-D
. - If you want to anonymize the source IP addresses before doing any processing, you can use
-A
. This will force all the source IPs to be hashed to MD5 in memory. Also, a file is created in the current folder with the relationship of original IP addresses and new hashed IP addresses. So you can later relate the detections.
Changelog v0.9
- Slips
- P2P module: Added the support for sharing and receiving IPs’ info with other peers. Can be run using docker or locally.
- Parse zeek software.log and extract software type, version and user agent from it
- Detect multiple SSH client versions. slips will now alert if an IP is detected using OpenSSH_8.1 then OpenSSH_7.1 for example
- Detect DoH flows in ssl.log
- Fix connection rest by peer error by changing the buffer limit in redis
- Fix reading flows from stdin
- Fix home_network parameter
- Fix portscans detections
- Fix DGA detections -0.8.5
-
Slips
- Detect young domains that was registered less than 60 days ago.
- Detect bad SMTP logins
- Detect SMTP bruteforce
- Detect DNS ARPA scans
- Update our list of ports used by specific organizations to minimize false positive ‘unknown destination port’ alerts
- Add support for Russia-Ukraine IoCs
- Detect incompatible user agents by comparing mac vendors with user agents found in http traffic.
- Detect the use of multiple user agents, for example Linux UA, then Apple UA, then MAC UA.
- The default time to wait to alert on DNS without resolution now is 30 mins
- The time to wait for DNS without resolution now works in interface capture mode and in reading any file
- detect ICMP timestamp scan, Address scan and address mask scan
- Support deleting of large log files (arp.log) in case the user doesn’t want a copy of the log files after slips is done
- Update our offline MAC vendor database and add support for getting unknown vendors from an online database
- Fix FP Multiple reconnection attempts
- Added a zeek script to recognize DoH flows for more real-time experience while using slips
- Change the structure of slips files by splitting large modules into smaller files.
- Reduce false positives by disabling ‘connections without DNS’ to a well known org
- Fix ‘multiple reconnection attemps’ alerts
- Update the list of our special organization ports
- Document all the internet connections made by slips
- Fix install.sh
- Add errors.log to output/ dir to log errors encountered by slips. -0.8.4
-
Slips
- Add support for local JA3 feeds
- Improve CESNET Module
- Update and improve whitelists
- Improve alerts by adding hostname to alerts printed in the CLI and in alerts.log
- Faster startup of Slips, now TI files are updated concurrently.
- Add a logstash configuration file to allow exporting slips alerts.
- Add support for malicious SSL feeds.
- Support blacklisting IP ranges taken from TI feeds.
- profilerProcess optimizations.
- Get device type, browser and OS info from user agents found in HTTP traffic.
- Add “Blocked by Slips” comment to all iptables rules added by slips
- Improve whitelisting by updating organizations’ domains.
- Update documentation
- Fix invalid JSON alerts in alerts.json
- Fix problem stopping slips.
- Fix problem with redis stopping on error writing to disk.
- Fix false positive ‘not valid yet’ SSL alerts
- Descrease the amount of false positive C&C alerts
-
Kalipso
- Fix Kalipso in docker issue
- Associate IPs with their hostname