Skip to content

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.

License

Notifications You must be signed in to change notification settings

stratosphereips/StratosphereLinuxIPS

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Slips v1.1.3

License GitHub version Python GitHub language count GitHub repository size Docker Image Size (tag) Docker Pulls

GitHub issues GitHub issues-closed GitHub open-pull-requests GitHub pull-requests closed GitHub contributors GitHub forks GitHub Org's stars GitHub watchers

License Discord Twitter Follow


Table of Contents

Slips: Behavioral Machine Learning-Based Intrusion Prevention System

Slips is a powerful endpoint behavioral intrusion prevention and detection system that uses machine learning to detect malicious behaviors in network traffic. Slips can work with network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus. Slips threat detection is based on a combination of machine learning models trained to detect malicious behaviors, 40+ threat intelligence feeds, and expert heuristics. Slips gathers evidence of malicious behavior and uses extensively trained thresholds to trigger alerts when enough evidence is accumulated.

Introduction

Slips is the first free software behavioral machine learning-based IDS/IPS for endpoints. It was created in 2012 by Sebastian Garcia at the Stratosphere Laboratory, AIC, FEE, Czech Technical University in Prague. The goal was to offer a local IDS/IPS that leverages machine learning to detect network attacks using behavioral analysis.

Slips is supported on Linux, MacOS, and windows dockers only. The blocking features of Slips are only supported on Linux

Slips is Python-based and relies on Zeek network analysis framework for capturing live traffic and analyzing PCAPs. and relies on Redis >= 7.0.4 for interprocess communication.

Usage

The recommended way to use Slips is on Docker.

Linux and Windows hosts

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest
./slips.py -f dataset/test7-malicious.pcap -o output_dir
cat output_dir/alerts.log

Macos

In MacOS, do not use --net=host if you want to access the internal container's ports from the host.

docker run --rm -it -p 55000:55000 --platform linux/amd64 --cpu-shares "700" --memory="8g" --memory-swap="8g" --cap-add=NET_ADMIN --name slips stratosphereips/slips_macos_m1:latest
./slips.py -f dataset/test7-malicious.pcap -o output_dir
cat output_dir/alerts.log

For more installation options

For a detailed explanation of Slips parameters

Graphical User Interface

To check Slips output using a GUI you can use the web interface or our command-line based interface Kalipso

Web interface
./webinterface.sh

Then navigate to http://localhost:55000/ from your browser.

For more info about the web interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#the-web-interface

Kalispo (CLI-Interface)
./kalipso.sh

For more info about the Kalipso interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#kalipso


Requirements

Slips requires Python 3.10.12 and at least 4 GBs of RAM to run smoothly.

Installation

Slips can be run on different platforms, the easiest and most recommended way if you're a Linux user is to run Slips on Docker.


Configuration

Slips has a config/slips.yaml that contains user configurations for different modules and general execution.

  • You can change the timewindow width by modifying the time_window_width parameter

  • You can change the analysis direction to all if you want to see the attacks from and to your computer

  • You can also specify whether to train or test the ML models

  • You can enable popup notifications of evidence, enable blocking, plug in your own zeek script and more.

More details about the config file options here

Features

Slips key features are:

  • Behavioral Intrusion Prevention: Slips acts as a powerful system to prevent intrusions based on detecting malicious behaviors in network traffic using machine learning.
  • Modularity: Slips is written in Python and is highly modular with different modules performing specific detections in the network traffic.
  • Targeted Attacks and Command & Control Detection: It places a strong emphasis on identifying targeted attacks and command and control channels in network traffic.
  • Traffic Analysis Flexibility: Slips can analyze network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus.
  • Threat Intelligence Updates: Slips continuously updates threat intelligence files and databases, providing relevant detections as updates occur.
  • Integration with External Platforms: Modules in Slips can look up IP addresses on external platforms such as VirusTotal and RiskIQ.
  • Graphical User Interface: Slips provides a console graphical user interface (Kalipso) and a web interface for displaying detection with graphs and tables.
  • Peer-to-Peer (P2P) Module: Slips includes a complex automatic system to find other peers in the network and share IoC data automatically in a balanced, trusted manner. The P2P module can be enabled as needed.
  • Docker Implementation: Running Slips through Docker on Linux systems is simplified, allowing real-time traffic analysis.
  • Detailed Documentation: Slips provides detailed documentation guiding users through usage instructions for efficient utilization of its features.

Contributing

We welcome contributions to improve the functionality and features of Slips.

Please read carefully the contributing guidelines for contributing to the development of Slips

You can run Slips and report bugs, make feature requests, and suggest ideas, open a pull request with a solved GitHub issue and new feature, or open a pull request with a new detection module.

The instructions to create a new detection module along with a template here.

If you are a student, we encourage you to apply for the Google Summer of Code program that we participate in as a hosting organization.

Check Slips in GSoC2023 for more information.

You can join our conversations in Discord for questions and discussions. We appreciate your contributions and thank you for helping to improve Slips!

Documentation

User documentation

Code docs

Troubleshooting

If you can't listen to an interface without sudo, you can run the following command to let any user use Zeek to listen to an interface not just root.

sudo setcap cap_net_raw,cap_net_admin=eip /<path-to-zeek-bin/zeek

You can join our conversations in Discord for questions and discussions.

Or email us at

License

GNU General Public License

Credits

Founder: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz, eldraco@gmail.com.

Main authors: Sebastian Garcia, Alya Gomaa, Kamila Babayeva

Contributors:

Changelog

https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/CHANGELOG.md

Demos

The following videos contain demos of Slips in action in various events:

  • 2022 BlackHat Europe Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [web]
  • 2022 BlackHat USA Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [web]
  • 2021 BlackHat Europe Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [slides] [web]
  • 2021 BlackHat USA Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [web]
  • 2021 BlackHat Asia Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [web]
  • 2020 Hack In The Box CyberWeek, Android RATs Detection With A Machine Learning-Based Python IDS [video]
  • 2019 OpenAlt, Fantastic Attacks and How Kalipso can Find Them [video]
  • 2016 Ekoparty, Stratosphere IPS. The free machine learning malware detection [video]

Funding

We are grateful for the generous support and funding provided by the following organizations:

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.

NLnet foundation logo NGI Zero Logo

Their funding has played a crucial role in the development and success of this project. We sincerely appreciate their commitment to advancing technology and their recognition of the value Slips brings to the community.