Merge pull request #1011 from stratosphereips/develop

v1.1.2

.github/ISSUE_TEMPLATE/bug_report.md

@@ -39,7 +39,6 @@ Master or Develop?
  - Python version [e.g. 3.10]
  - Are you running slips in docker or locally? [yes/no]
  - Docker version (if running slips in docker) [e.g. 20.10.22]
- - Slips docker image used (if running slips in docker) [e.g. macosm1-image, macosm1-P2P-image, ubuntu-image, dependency-image]
  - Commit hash: ( `git rev-parse --short HEAD` )
 
 **Additional context**

.github/workflows/CI-publishing-p2p-image.yml → .github/workflows/publish-slips-image.yml

@@ -1,4 +1,4 @@
-name: CI-production-publishing-p2p-image
+name: CI-production-publishing-slips-image
 
 on:
   push:
@@ -7,7 +7,7 @@ on:
     - '!develop'
 
 jobs:
-  publish_P2P_docker_image:
+  publish_slips_docker_image:
     # runs the tests in a docker(built by this job) on stop of a GH VM
     runs-on: ubuntu-20.04
     # 2 hours timeout
@@ -40,14 +40,14 @@ jobs:
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@v3
 
-    - name: Build and push p2p image using dockerfile
-      id: docker_build_p2p_for_slips
+    - name: Build and push Slips image using dockerfile
+      id: docker_build_slips
       uses: docker/build-push-action@v6
       with:
         allow: network.host
         context: ./
-        file: ./docker/P2P-image/Dockerfile
+        file: ./docker/Dockerfile
         tags: |
-          stratosphereips/slips_p2p:latest
-          stratosphereips/slips_p2p:${{ env.SLIPS_VERSION }}
+          stratosphereips/slips:latest
+          stratosphereips/slips:${{ env.SLIPS_VERSION }}
         push: true

.github/workflows/unit-tests.yml

@@ -55,6 +55,7 @@ jobs:
           - tests/test_trustdb.py
           - tests/test_cesnet.py
           - tests/test_output.py
+          - tests/test_riskiq.py
 
     steps:
     - uses: actions/checkout@v4

.gitignore

@@ -134,7 +134,8 @@ logs/
 dump.rdb
 package-lock.json
 modules/blessed/node_modules/
-alerts.*
+alerts.log
+alerts.json
 errors.log
 nohup.out
 modules/threat_intelligence/remote_data_files/*

CHANGELOG.md

@@ -1,4 +1,17 @@
-- 1.1.1 (September 4th, 2024)
+- 1.1.2 (September 30th, 2024)
+- Add a relation between related evidence in alerts.json
+- Better unit tests. Thanks to @Sekhar-Kumar-Dash
+- Discontinued MacOS m1 docker images, P2p images, and slips dependencies image.
+- Fix the problem of the progress bar stopping before analysis is done, causing Slips to freeze when analyzing large PCAPs.
+- Improve how Slips recognizes the current host IP.
+- Increase the speed of the Flowalerts module by changing how Slips checks for DNS servers.
+- Major code improvements.
+- Remove redundant keys from the Redis database.
+- Remove unused keys from the Redis database.
+- Use IDMEFv2 format in alerts.json instead of IDEA0.
+- Wait for modules to finish 1 week by default.
+
+1.1.1 (September 4th, 2024)
 - Better unit tests. thanks to @Sekhar-Kumar-Dash.
 - Fix Zeek warning caused by one of the loaded zeek scripts.
 - Fix Slips installation scripts at install/install.sh

README.md

@@ -1,5 +1,5 @@
 <h1 align="center">
-Slips v1.1.1
+Slips v1.1.2
 </h1>
 
 
@@ -160,14 +160,7 @@ Slips can be run on different platforms, the easiest and most recommended way if
 
 * [Docker](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#slips-in-docker)
   * Dockerhub (recommended)
-    * On a linux host
-      * [Without P2P support](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#for-linux)
-      * [With P2P support](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#for-p2p-support-on-linux)
-    * On MacOS M1 host
-      * [Without P2P support](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#for-macos-m1)
-    * On MacOS Intel processor
-      * [Without P2P support](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#for-macos-intel-processors)
-      * [With P2P support](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#for-p2p-support-on-macos-intel)
+    * [Linux, MacOS and windows hosts](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#Running-Slips-from-DockerHub)
   * [Docker-compose](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#running-slips-using-docker-compose)
   * [Dockerfile](https://stratospherelinuxips.readthedocs.io/en/develop/installation.html#building-slips-from-the-dockerfile)
 * Native
@@ -212,7 +205,7 @@ Slips can be run on different platforms, the easiest and most recommended way if
 
 
 # Configuration
-Slips has a [config/slips.conf](https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/config/slips.conf) that contains user configurations for different modules and general execution.
+Slips has a [config/slips.yaml](https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/config/slips.yaml) that contains user configurations for different modules and general execution.
 
 * You can change the timewindow width by modifying the ```time_window_width``` parameter
 * You can change the analysis direction to ```all```  if you want to see the attacks from and to your computer

VERSION

@@ -1 +1 @@
-1.1.1
+1.1.2

config/slips.yaml

@@ -125,7 +125,9 @@ parameters:
    keep_rotated_files_for : 1 day
 
    # how many minutes to wait for all modules to finish before killing them
-   wait_for_modules_to_finish : 15 mins
+   #wait_for_modules_to_finish : 15 mins
+   # 1 week
+   wait_for_modules_to_finish : 10080 mins
 
    # flows are labeled to normal/malicious and added to the sqlite db in the output dir by default
    export_labeled_flows : False
@@ -170,9 +172,9 @@ detection:
 modules:
    # List of modules to ignore. By default we always ignore the template! do not remove it from the list
    # Names of other modules that you can disable (they all should be lowercase with no special characters):
-   # ensembling, threatintelligence, blocking,
+   # threatintelligence, blocking,
    # networkdiscovery, timeline, virustotal, rnnccdetection, flowmldetection, updatemanager
-   disable: "[template , ensembling]"
+   disable: "[template]"
 
    # For each line in timeline file there is a timestamp.
    # By default the timestamp is seconds in unix time. However

docker/P2P-image/Dockerfile → docker/Dockerfile

@@ -1,88 +1,90 @@
-FROM ubuntu:22.04
-# To avoid user interaction when installing libraries
-ENV DEBIAN_FRONTEND=noninteractive
-# Blocking module requirement to avoid using sudo
-ENV IS_IN_A_DOCKER_CONTAINER=True
-# destionation dir for slips inside the container
-ENV SLIPS_DIR=/StratosphereLinuxIPS
-
-ENV NODE_VERSION=22.5.0
-ENV NVM_DIR=/root/.nvm
-
-# use bash instead of sh
-SHELL ["/bin/bash", "-c"]
-
-
-# Install wget and add Zeek and redis repositories to our sources.
-RUN apt update && apt install -y --no-install-recommends \
-    wget \
-    ca-certificates \
-    git \
-    curl \
-    gnupg \
-    lsb-release \
-    software-properties-common \
-    build-essential \
-    file \
-    lsof \
-    iptables \
-    iproute2 \
-    nfdump \
-    tshark \
-    whois \
-    yara \
-    net-tools \
-    vim \
-    less \
-    unzip \
-    golang \
-    python3-certifi \
-    python3-dev \
-    python3-tzlocal \
-    python3-pip \
-    && echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' |  tee /etc/apt/sources.list.d/security:zeek.list \
-    && curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor |  tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null \
-    && curl -fsSL https://packages.redis.io/gpg |  gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg \
-    && echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" > /etc/apt/sources.list.d/redis.list \
-    && apt update \
-    && apt install -y --no-install-recommends --fix-missing \
-    zeek \
-    redis \
-    npm \
-    && ln -s /opt/zeek/bin/zeek /usr/local/bin/bro \
-    && apt clean \
-    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
-    && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash - \
-    && export NVM_DIR="$HOME/.nvm" \
-    && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  \
-    && nvm install 22 \
-
-
-# Upgrade pip3 and install slips requirements
-RUN pip3 install --no-cache-dir --upgrade pip
-
-# Switch to Slips installation dir on login.
-WORKDIR ${SLIPS_DIR}
-
-COPY . $SLIPS_DIR
-
-# we're excluding black here because it has conflicts with the tensorflow version required in requirements.txt
-# this is temporary until we upgrade tensorflow to the latest version
-RUN  pip install --ignore-installed --no-cache-dir -r install/requirements.txt \
-    && chmod 774 slips.py \
-    && git init \
-    && git remote add origin https://github.com/stratosphereips/StratosphereLinuxIPS.git \
-    && cd modules/kalipso \
-    && npm install
-
-# set use_p2p to yes in the config file
-RUN sed -i "s/use_p2p : False/use_p2p : True/" config/slips.yaml
-
-# build the pigeon and add pigeon to path
-RUN cd p2p4slips \
-    && go build \
-    && export PATH="$PATH:/StratosphereLinuxIPS/p2p4slips/";
-
-WORKDIR ${SLIPS_DIR}
-
-CMD /bin/bash
+FROM ubuntu:22.04
+# To avoid user interaction when installing libraries
+ENV DEBIAN_FRONTEND=noninteractive
+# Blocking module requirement to avoid using sudo
+ENV IS_IN_A_DOCKER_CONTAINER=True
+# destionation dir for slips inside the container
+ENV SLIPS_DIR=/StratosphereLinuxIPS
+
+ENV NODE_VERSION=22.5.0
+ENV NVM_DIR=/root/.nvm
+
+# use bash instead of sh
+SHELL ["/bin/bash", "-c"]
+
+
+# Install wget and add Zeek and redis repositories to our sources.
+RUN apt update && apt install -y --no-install-recommends \
+    wget \
+    ca-certificates \
+    git \
+    curl \
+    gnupg \
+    lsb-release \
+    software-properties-common \
+    build-essential \
+    file \
+    lsof \
+    iptables \
+    iproute2 \
+    nfdump \
+    tshark \
+    whois \
+    yara \
+    net-tools \
+    vim \
+    less \
+    unzip \
+    golang \
+    python3-certifi \
+    python3-dev \
+    python3-tzlocal \
+    python3-pip \
+    && echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' |  tee /etc/apt/sources.list.d/security:zeek.list \
+    && curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor |  tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null \
+    && curl -fsSL https://packages.redis.io/gpg |  gpg --dearmor -o /usr/share/keyrings/redis-archive-keyring.gpg \
+    && echo "deb [signed-by=/usr/share/keyrings/redis-archive-keyring.gpg] https://packages.redis.io/deb $(lsb_release -cs) main" > /etc/apt/sources.list.d/redis.list \
+    && apt update \
+    && apt install -y --no-install-recommends --fix-missing \
+    zeek \
+    redis \
+    npm \
+    && ln -s /opt/zeek/bin/zeek /usr/local/bin/bro \
+    && apt clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
+    && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash - \
+    && export NVM_DIR="$HOME/.nvm" \
+    && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  \
+    && nvm install 22 \
+
+
+RUN pip3 install --no-cache-dir --upgrade pip
+
+RUN git clone https://github.com/IDMEFv2/python-idmefv2  \
+    && cd python-idmefv2 \
+    && git submodule update --init --recursive \
+    && python3 setup.py install \
+    && cd ..
+
+
+# Switch to Slips installation dir on login.
+WORKDIR ${SLIPS_DIR}
+
+COPY P2P-image $SLIPS_DIR
+
+RUN  pip install --ignore-installed --no-cache-dir -r install/requirements.txt \
+    && chmod 774 slips.py \
+    && git init \
+    && git remote add origin https://github.com/stratosphereips/StratosphereLinuxIPS.git \
+    && cd modules/kalipso \
+    && npm install \
+
+
+# build the pigeon and add pigeon to path
+RUN cd p2p4slips \
+    && go build \
+    && export PATH="$PATH:/StratosphereLinuxIPS/p2p4slips/";
+
+WORKDIR ${SLIPS_DIR}
+
+CMD /bin/bash