Slips v1.1

Table of Contents

• Introduction
• Usage
• GUI
• Requirements
• Installation
• Extended Usage
• Configuration
• Features
• Contributing
• Documentation
• Troubleshooting
• License
• Credits
• Changelog
• Roadmap
• Demos
• Funding

Slips: Behavioral Machine Learning-Based Intrusion Prevention System

Slips is a powerful endpoint behavioral intrusion prevention and detection system that uses machine learning to detect malicious behaviors in network traffic. Slips can work with network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus. Slips threat detection is based on a combination of machine learning models trained to detect malicious behaviors, 40+ threat intelligence feeds, and expert heuristics. Slips gathers evidence of malicious behavior and uses extensively trained thresholds to trigger alerts when enough evidence is accumulated.

Introduction

Slips is the first free software behavioral machine learning-based IDS/IPS for endpoints. It was created in 2012 by Sebastian Garcia at the Stratosphere Laboratory, AIC, FEE, Czech Technical University in Prague. The goal was to offer a local IDS/IPS that leverages machine learning to detect network attacks using behavioral analysis.

Slips is supported on Linux and MacOS only. The blocking features of Slips are only supported on Linux

Slips is Python-based and relies on Zeek network analysis framework for capturing live traffic and analyzing PCAPs. and relies on Redis >= 7.0.4 for interprocess communication.

Usage

The recommended way to use Slips is on Docker.

Linux

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest

./slips.py -f dataset/test7-malicious.pcap -o output_dir

cat output_dir/alerts.log

Macos M1

In macos do not use --net=host if you want to access the internal container's ports from the host.

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --cap-add=NET_ADMIN --name slips stratosphereips/slips_macos_m1:latest

./slips.py -f dataset/test7-malicious.pcap -o output_dir

cat output_dir/alerts.log

Macos Intel

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest

./slips.py -f dataset/test7-malicious.pcap -o output_dir

cat output_dir/alerts.log

For more installation options

For a detailed explanation of Slips parameters

Graphical User Interface

To check Slips output using a GUI you can use the web interface or our command-line based interface Kalipso

Web interface

./webinterface.sh

Then navigate to http://localhost:55000/ from your browser.

For more info about the web interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#the-web-interface

Kalispo (CLI-Interface)

./kalipso.sh

For more info about the Kalipso interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#kalipso

Requirements

Slips requires Python 3.10.12 and at least 4 GBs of RAM to run smoothly.

Installation

Slips can be run on different platforms, the easiest and most recommended way if you're a Linux user is to run Slips on Docker.

• Docker
  • Dockerhub (recommended)
    • On a linux host
      • Without P2P support
      • With P2P support
    • On MacOS M1 host
      • Without P2P support
    • On MacOS Intel processor
      • Without P2P support
      • With P2P support
  • Docker-compose
  • Dockerfile
• Native
  • Using install.sh
  • Manually
• on RPI (Beta)

Extended Usage

Linux

Analyse your own traffic without P2P

Analyse your own traffic with P2P

Analyse a pcap without using P2P

Macos M1

Analyse your own traffic without using P2P

MacOS Intel processors

Analyse your own traffic without using P2P

Analyse your own traffic with using P2P

Analyse a PCAP without using P2P

Configuration

Slips has a config/slips.conf that contains user configurations for different modules and general execution.

• You can change the timewindow width by modifying the time_window_width parameter

• You can change the analysis direction to all if you want to see the attacks from and to your computer

• You can also specify whether to train or test the ML models

• You can enable popup notifications of evidence, enable blocking, plug in your own zeek script and more.

More details about the config file options here

Features

Slips key features are:

• Behavioral Intrusion Prevention: Slips acts as a powerful system to prevent intrusions based on detecting malicious behaviors in network traffic using machine learning.
• Modularity: Slips is written in Python and is highly modular with different modules performing specific detections in the network traffic.
• Targeted Attacks and Command & Control Detection: It places a strong emphasis on identifying targeted attacks and command and control channels in network traffic.
• Traffic Analysis Flexibility: Slips can analyze network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus.
• Threat Intelligence Updates: Slips continuously updates threat intelligence files and databases, providing relevant detections as updates occur.
• Integration with External Platforms: Modules in Slips can look up IP addresses on external platforms such as VirusTotal and RiskIQ.
• Graphical User Interface: Slips provides a console graphical user interface (Kalipso) and a web interface for displaying detection with graphs and tables.
• Peer-to-Peer (P2P) Module: Slips includes a complex automatic system to find other peers in the network and share IoC data automatically in a balanced, trusted manner. The P2P module can be enabled as needed.
• Docker Implementation: Running Slips through Docker on Linux systems is simplified, allowing real-time traffic analysis.
• Detailed Documentation: Slips provides detailed documentation guiding users through usage instructions for efficient utilization of its features.

Contributing

We welcome contributions to improve the functionality and features of Slips.

Please read carefully the contributing guidelines for contributing to the development of Slips

You can run Slips and report bugs, make feature requests, and suggest ideas, open a pull request with a solved GitHub issue and new feature, or open a pull request with a new detection module.

The instructions to create a new detection module along with a template here.

If you are a student, we encourage you to apply for the Google Summer of Code program that we participate in as a hosting organization.

Check Slips in GSoC2023 for more information.

You can join our conversations in Discord for questions and discussions. We appreciate your contributions and thank you for helping to improve Slips!

Documentation

User documentation

Code docs

Troubleshooting

If you can't listen to an interface without sudo, you can run the following command to let any user use Zeek to listen to an interface not just root.

sudo setcap cap_net_raw,cap_net_admin=eip /<path-to-zeek-bin/zeek

You can join our conversations in Discord for questions and discussions.

Or email us at

• sebastian.garcia@agents.fel.cvut.cz
• eldraco@gmail.com,
• alyaggomaa@gmail.com

License

GNU General Public License

Credits

Founder: Sebastian Garcia, sebastian.garcia@agents.fel.cvut.cz, eldraco@gmail.com.

Main authors: Sebastian Garcia, Alya Gomaa, Kamila Babayeva

Contributors:

• Veronica Valeros
• Frantisek Strasak
• Dita Hollmannova
• Ondrej Lukas
• Elaheh Biglar Beigi
• Martin Řepa
• arkamar
• Maria Rigaki
• Lukas Forst
• Daniel Yang

Changelog

https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/CHANGELOG.md

Demos

The following videos contain demos of Slips in action in various events:

• 2022 BlackHat Europe Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [web]
• 2022 BlackHat USA Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System