<h1 align="center"> Slips v1.1.18 </h1>

<hr>

Table of Contents

• Introduction
• Usage
• GUI
• Requirements
• Installation
• Configuration
• Features
• Contributing
• Documentation
• Troubleshooting
• License
• Credits
• Changelog
• Roadmap
• Demos
• Funding

Slips: Behavioral Machine Learning-Based Intrusion Prevention System

Slips is a powerful endpoint behavioral intrusion prevention and detection system that uses machine learning to detect malicious behaviors in network traffic. Slips can work with network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus. Slips threat detection is based on a combination of machine learning models trained to detect malicious behaviors, 40+ threat intelligence feeds, and expert heuristics. Slips gathers evidence of malicious behavior and uses extensively trained thresholds to trigger alerts when enough evidence is accumulated.

<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/slips.gif" width="850px" title="Slips in action.">

---

Introduction

Slips is the first free software behavioral machine learning-based IDS/IPS for endpoints. It was created in 2012 by Sebastian Garcia at the Stratosphere Laboratory, AIC, FEE, Czech Technical University in Prague. The goal was to offer a local IDS/IPS that leverages machine learning to detect network attacks using behavioral analysis.

Slips is supported on Linux, MacOS, and windows dockers only. The blocking features of Slips are only supported on Linux

Slips is Python-based and relies on Zeek network analysis framework for capturing live traffic and analyzing PCAPs. and relies on Redis >= 7.0.4 for interprocess communication.

---

Usage

The recommended way to use Slips is on Docker.

Linux and Windows hosts

docker run --rm -it -p 55000:55000  --cpu-shares "700" --memory="8g" --memory-swap="8g" --net=host --cap-add=NET_ADMIN --name slips stratosphereips/slips:latest

./slips.py -f dataset/test7-malicious.pcap -o output_dir

cat output_dir/alerts.log

Macos

In MacOS, do not use --net=host if you want to access the internal container's ports from the host.

docker run --rm -it -p 55000:55000 --platform linux/amd64 --cpu-shares "700" --memory="8g" --memory-swap="8g" --cap-add=NET_ADMIN --name slips stratosphereips/slips_macos_m1:latest

./slips.py -f dataset/test7-malicious.pcap -o output_dir

cat output_dir/alerts.log

For more installation options

For a detailed explanation of Slips parameters

---

Graphical User Interface

To check Slips output using a GUI you can use the web interface or our command-line based interface Kalipso

Web interface

./webinterface.sh

Then navigate to http://localhost:55000/ from your browser.

<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/web_interface.png" width="850px">

For more info about the web interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#the-web-interface

Kalipso (CLI-Interface)

./kalipso.sh

<img src="https://raw.githubusercontent.com/stratosphereips/StratosphereLinuxIPS/develop/docs/images/kalipso.png" width="850px">

For more info about the Kalipso interface, check the docs: https://stratospherelinuxips.readthedocs.io/en/develop/usage.html#kalipso

---

Requirements

Slips requires Python 3.10.12 and at least 4 GBs of RAM to run smoothly.

---

Installation

Slips can be run on different platforms, the easiest and most recommended way if you're a Linux user is to run Slips on Docker.

• Docker
  • Dockerhub (recommended)
    • Linux and windows hosts
    • MacOS hosts
  • Docker-compose
  • Dockerfile
• Native
  • Using install.sh
  • Manually
• on RPI (Beta)

---

Configuration

Slips has a config/slips.yaml that contains user configurations for different modules and general execution.

• You can change the timewindow width by modifying the time_window_width parameter

• You can change the analysis direction to all if you want to see the attacks from and to your computer

• You can also specify whether to train or test the ML models

• You can enable popup notifications of evidence, enable blocking, plug in your own zeek script and more.

More details about the config file options here

---

Features

Slips key features are:

• Behavioral Intrusion Prevention: Slips acts as a powerful system to prevent intrusions based on detecting malicious behaviors in network traffic using machine learning.
• Modularity: Slips is written in Python and is highly modular with different modules performing specific detections in the network traffic.
• Targeted Attacks and Command & Control Detection: It places a strong emphasis on identifying targeted attacks and command and control channels in network traffic.
• Traffic Analysis Flexibility: Slips can analyze network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek/Bro, and Argus.
• Threat Intelligence Updates: Slips continuously updates threat intelligence files and databases, providing relevant detections as updates occur.
• HTTPS Anomaly Detection: Adaptive TLS/HTTPS anomaly detection with drift handling and a local HTML report generator for deep dives.
• Integration with External Platforms: Modules in Slips can look up IP addresses on external platforms such as VirusTotal and RiskIQ.
• Graphical User Interface: Slips provides a console graphical user interface (Kalipso) and a web interface for displaying detection with graphs and tables.
• Peer-to-Peer (P2P) Module: Slips