Home

Awesome

<h1 align="center"> Slips v1.1.3 </h1>

License GitHub version Python GitHub language count GitHub repository size Docker Image Size (tag) Docker Pulls

GitHub issues GitHub issues-closed GitHub open-pull-requests GitHub pull-requests closed GitHub contributors GitHub forks GitHub Org's stars GitHub watchers

License Discord Twitter Follow

<hr>

Table of Contents

Slips: Behavioral Machine Learning-Based Intrusion Prevention System

Slips is a powerful endpoint behavioral intrusion prevention and detection system that uses machine learning to detect malicious behaviors in network traffic. Slips can work with network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus. Slips threat detection is based on a combination of machine learning models trained to detect malicious behaviors, 40+ threat intelligence feeds, and expert heuristics. Slips gathers evidence of malicious behavior and uses extensively trained thresholds to trigger alerts when enough evidence is accumulated.

<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/slips.gif" width="850px" title="Slips in action.">

Introduction

Slips is the first free software behavioral machine learning-based IDS/IPS for endpoints. It was created in 2012 by Sebastian Garcia at the Stratosphere Laboratory, AIC, FEE, Czech Technical University in Prague. The goal was to offer a local IDS/IPS that leverages machine learning to detect network attacks using behavioral analysis.

Slips is supported on Linux, MacOS, and windows dockers only. The blocking features of Slips are only supported on Linux

Slips is Python-based and relies on Zeek network analysis framework for capturing live traffic and analyzing PCAPs. and relies on Redis >= 7.0.4 for interprocess communication.

Usage

The recommended way to use Slips is on Docker.

Linux and Windows hosts

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest
./slips.py -f dataset/test7-malicious.pcap -o output_dir
cat output_dir/alerts.log

Macos

In MacOS, do not use --net=host if you want to access the internal container's ports from the host.

docker run --rm -it -p 55000:55000 --platform linux/amd64 --cpu-shares "700" --memory="8g" --memory-swap="8g" --cap-add=NET_ADMIN --name slips stratosphereips/slips_macos_m1:latest
./slips.py -f dataset/test7-malicious.pcap -o output_dir
cat output_dir/alerts.log

For more installation options

For a detailed explanation of Slips parameters

Graphical User Interface

To check Slips output using a GUI you can use the web interface or our command-line based interface Kalipso

Web interface
./webinterface.sh

Then navigate to http://localhost:55000/ from your browser.

<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/web_interface.png" width="850px">

For more info about the web interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#the-web-interface

Kalispo (CLI-Interface)
./kalipso.sh
<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/kalipso.png" width="850px">

For more info about the Kalipso interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#kalipso


Requirements

Slips requires Python 3.10.12 and at least 4 GBs of RAM to run smoothly.

Installation

Slips can be run on different platforms, the easiest and most recommended way if you're a Linux user is to run Slips on Docker.


Configuration

Slips has a config/slips.yaml that contains user configurations for different modules and general execution.

More details about the config file options here

Features

Slips key features are:

Contributing

We welcome contributions to improve the functionality and features of Slips.

Please read carefully the contributing guidelines for contributing to the development of Slips

You can run Slips and report bugs, make feature requests, and suggest ideas, open a pull request with a solved GitHub issue and new feature, or open a pull request with a new detection module.

The instructions to create a new detection module along with a template here.

If you are a student, we encourage you to apply for the Google Summer of Code program that we participate in as a hosting organization.

Check Slips in GSoC2023 for more information.

You can join our conversations in Discord for questions and discussions. We appreciate your contributions and thank you for helping to improve Slips!

Documentation

User documentation

Code docs

Troubleshooting

If you can't listen to an interface without sudo, you can run the following command to let any user use Zeek to listen to an interface not just root.

sudo setcap cap_net_raw,cap_net_admin=eip /<path-to-zeek-bin/zeek

You can join our conversations in Discord for questions and discussions.

Or email us at

License

GNU General Public License

Credits

Founder: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz, eldraco@gmail.com.

Main authors: Sebastian Garcia, Alya Gomaa, Kamila Babayeva

Contributors:

Changelog

https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/CHANGELOG.md

Demos

The following videos contain demos of Slips in action in various events:

Funding

We are grateful for the generous support and funding provided by the following organizations:

This project is funded through NGI0 Entrust, a fund established by NLnet with financial support from the European Commission's Next Generation Internet program. Learn more at the NLnet project page.

<img src="https://nlnet.nl/logo/banner.png" alt="NLnet foundation logo" width="20%" /> <img src="https://nlnet.nl/image/logos/NGI0_tag.svg" alt="NGI Zero Logo" width="20%" />

Their funding has played a crucial role in the development and success of this project. We sincerely appreciate their commitment to advancing technology and their recognition of the value Slips brings to the community.