The 'Detected Long Connection' detection wrongly considers broadcast addresses. #1093

eldraco · 2024-12-01T18:03:41Z

Describe the bug
The long connection detection is applied to broadcast addresses. Broadcast addresses don't have connections in the traditional sense of exchanging data. So this alert is wrong.

Broadcast packets can happen for a long time for the same IP and ports, but it doesn't mean is one connection.

2024-12-01T16:58:00.116733+00:00 (TW 1): Src IP 192.168.1.184 . Detected Long Connection. Connection from 192.168.1.184 to destination address: 255.255.255.255 took 44 mins threat level: low.

To Reproduce

It was a private capture

Expected behavior
Not to trigger this alert.

Branch
Docker running slips_light
Develop 1.1.4

Environment (please complete the following information):

OS: macos m1
Version: m1
Python version Python 3.10.12
Are you running slips in docker or locally? yes in docker
Docker version (if running slips in docker) 4.36.0
Commit hash: ( git rev-parse --short HEAD ): not shown in the docker version

The text was updated successfully, but these errors were encountered:

eldraco added Bug Help wanted Difficulty: Beginners Stuff that you can do with skills for starters labels Dec 1, 2024

eldraco assigned AlyaGomaa Dec 1, 2024

github-project-automation bot added this to Slips Dec 1, 2024

github-project-automation bot moved this to Todo in Slips Dec 1, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

The 'Detected Long Connection' detection wrongly considers broadcast addresses. #1093

The 'Detected Long Connection' detection wrongly considers broadcast addresses. #1093

eldraco commented Dec 1, 2024

The 'Detected Long Connection' detection wrongly considers broadcast addresses. #1093

The 'Detected Long Connection' detection wrongly considers broadcast addresses. #1093

Comments

eldraco commented Dec 1, 2024