Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Documentation error #959

Closed
eldraco opened this issue Aug 27, 2024 · 3 comments · Fixed by #1171
Closed

Documentation error #959

eldraco opened this issue Aug 27, 2024 · 3 comments · Fixed by #1171
Assignees
Labels
Difficulty: Beginners Stuff that you can do with skills for starters Documentation Related to documentation Help wanted

Comments

@eldraco
Copy link
Collaborator

eldraco commented Aug 27, 2024

Describe the bug
The documentation here https://stratospherelinuxips.readthedocs.io/en/develop/features.html#connection-to-unknown-ports is not accurate

Connection to unknown ports[](https://stratospherelinuxips.readthedocs.io/en/develop/features.html#connection-to-unknown-ports)
Slips has a list of known ports located in slips_files/ports_info/ports_used_by_specific_orgs.csv

It also has a list of ports that belong to a specific organization in slips_files/ports_info/ports_used_by_specific_orgs.csv

For example, even though 5223/TCP isn’t a well known port, Apple uses it in Apple Push Notification Service (APNS).

Any port that isn’t in the above 2 files is considered unknown to Slips.

Example of Spyware that uses custom ports are [hermit](https://www.lookout.com/blog/hermit-spyware-discovery) using ports 58442/TCP and 8442/TCP.

Changes to do

  • First file should be services.csv
  • The file ports_used_by_specific_orgs.csv is checked in very specific order. Say exactly how here: MAC, SNI, hostname, RDNS, etc.
@eldraco eldraco added Help wanted Difficulty: Beginners Stuff that you can do with skills for starters Documentation Related to documentation labels Aug 27, 2024
@eldraco eldraco added this to Slips Aug 27, 2024
@github-project-automation github-project-automation bot moved this to Todo in Slips Aug 27, 2024
@AlyaGomaa
Copy link
Collaborator

Add the following to the docs

This function says that the port belongs to an org if:
1. we have its info in ports_used_by_specific_orgs.csv
and considers the IP belongs to an org if:
1. both saddr and daddr have the Mac vendor fo this org e.g. apple
2. both saddr and daddr belong to the range specified in the
ports_used_by_specific_orgs.csv
3. if the SNI, hostname, rDNS, ASN of this ip belong to this org
4. match the IPs to orgs that slips has info about (apple, fb,
google,etc.)

@aniket2405 aniket2405 mentioned this issue Jan 14, 2025
6 tasks
@aniket2405
Copy link

aniket2405 commented Jan 14, 2025

Hey, I have raised a PR to fix this issue. Please review and let me know if there are any further changes expected from my end. Thanks!

@AlyaGomaa
Copy link
Collaborator

Merged. thanks @aniket2405

@github-project-automation github-project-automation bot moved this from Todo to Done in Slips Jan 15, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Difficulty: Beginners Stuff that you can do with skills for starters Documentation Related to documentation Help wanted
Projects
Status: Done
Development

Successfully merging a pull request may close this issue.

3 participants