StratosphereLinuxIPS: Stratosphere IPS for Linux
Stratosphere Linux IPS
This is the Linux version of the Stratosphere IPS, a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.
The idea of slips is to focus on the machine learning part of the detection and not in capturing the network traffic. That is why the traffic is received from an external Argus instance. Argus captures the packets in the networks and makes them available to anyone connecting to the Argus port. Argus does not send the packets until somebody ask for them.
The basic architecture is to read the flows from an Argus instance using the ra tool and to send the flows to slips as standard input. This way of working is very good because we can analyze the traffic of our own computer, and also we can analyze the traffic of a remote network or any other computer where an Argus instance is running. Actually, if you run the Argus program in any Windows, Mac or router, slips can analyze the traffic.
This version of slips comes with the following features:
- If you execute slips without the
-mparameter it will not detect any behavior in the network but just print the tuples (see the Stratosphere web page for more information). So actually you can also use slips to see what is happening in your network even without detection.
-ato restrict the minimum amount of letters that the tuples had to have to be considered for detection. The default is a minimum of 3 letters which is enough for having at least one periodic letter.
- slips works by separating the traffic in time windows. This allows it to report to the user the detections in a fixed amount of time. The default time window is now 1 minute but you can change it with the parameter
-w(a time window of five minutes is also recommended). (Warning: In the future we will update this to also consider the detection of IP addresses instead of tuples)
- If you want to tell slips to actually try to detect something, you should specify
-mto tell slips where to find the behavioral models.
-poption tells slips to print the tuples that were detected. Even if the detection is working, without
-pthe tuples are not printed.
- If you want to be alerted of any detection without looking at the screen you can specify
-sto have a sound alert. You need to install the pygames libraries.
- If you want to avoid doing any detection you should use
- If you want to anonymize the source IP addresses before doing any processing, you can use
-A. This will force all the source IPs to be hashed to MD5 in memory. Also, a file is created in the current folder with the relationship of original IP addresses and new hashed IP addresses. So you can later relate the detections.