Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fides Module #1073

Open
wants to merge 211 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
211 commits
Select commit Hold shift + click to select a range
f440c84
Merge modules/FidesModule from David-enhance-fides-module branch to k…
d-strat Oct 3, 2024
422e43f
Let go, PyCharm knows
d-strat Oct 3, 2024
550c453
Trust Databases are now running.
d-strat Oct 3, 2024
2ccc87e
Add all Fides' channels and save progress before implementing new kno…
d-strat Oct 4, 2024
79e6ceb
Fix Hardcoded path and update gitignore.
d-strat Oct 6, 2024
cd47da7
Import Changes made during Alya/David meeting.
d-strat Oct 6, 2024
8be78bc
Fix messaging queues or leave them out wherever possible
d-strat Oct 8, 2024
05bebf7
Cleanup channels and test prints
d-strat Oct 8, 2024
a0878cf
Delete outdated codestück
d-strat Oct 8, 2024
c93f218
Fix and update fides module logger to fit current slips.
d-strat Oct 8, 2024
e9820c2
Fix typo in original redis wrapper.
d-strat Oct 8, 2024
35eafc0
Create files and prepare for database implementation.
d-strat Oct 9, 2024
134ef64
Implement SlipsThreatIntelligenceDatabase, class to get Fides' TI by …
d-strat Oct 10, 2024
57d20c6
Update peer to make it possible to use json.dump on it
d-strat Oct 10, 2024
dcf4666
Implement storing and retrieving connected P2P peers.
d-strat Oct 10, 2024
472a027
Delete obsolete messaging interface code
d-strat Oct 11, 2024
8fc2a6a
Implement storing and retrieving trust data to and from redis database.
d-strat Oct 11, 2024
69aecb2
Implement caching of threat intelligence.
d-strat Oct 11, 2024
8fb0228
Implement base for SQLite database.
d-strat Oct 15, 2024
b9d3c45
Implement dictionary conversions.
d-strat Oct 15, 2024
f365ab0
Fix time
d-strat Oct 15, 2024
f3bf240
Add dictionary conversions to recommendation_history.py.
d-strat Oct 15, 2024
40d230f
Add sqldatabase to trust.py
d-strat Oct 15, 2024
5325a61
Write table creation to p2p SQL database.
d-strat Oct 15, 2024
5bfd291
Add PeerTrustData table to store corresponding datatype, finish datab…
d-strat Oct 17, 2024
2748678
Fix database design, PeerTrustData 1 to many RecommendationHistory, 1…
d-strat Oct 17, 2024
e902d80
Add missing function to template
d-strat Oct 17, 2024
a8d55a8
Improve storage of PeerInfo list with different use cases in mind. Or…
d-strat Oct 17, 2024
7b1bd94
Implement connected peers backing up in a SQLite database as well as …
d-strat Oct 17, 2024
06dc8df
Implement get_peers_with_organisations, functions that gets list of p…
d-strat Oct 18, 2024
d43d4b6
Merge branch 'stratosphereips:master' into david-feature-fides-module…
d-strat Oct 18, 2024
5fff215
Protect query execution from race condition.
d-strat Oct 21, 2024
1265d32
Update database design to be able to stere truly everything.
d-strat Oct 21, 2024
436748a
Adds a function that gives all peers in form of PeerInfo that have re…
d-strat Oct 22, 2024
7939771
Add SQLite fallback for get_peer_trust_data()
d-strat Oct 22, 2024
5a16061
Add thread safe function that stores data into the SQLite database, t…
d-strat Oct 22, 2024
56ed053
Enrobust get_peer_trust_data() function
d-strat Oct 22, 2024
ed9c192
Add SQLite-equivalent to Redis function to store_peer_trust_data()
d-strat Oct 22, 2024
2ffe451
Resolve caching TODOs
d-strat Oct 22, 2024
5c3f9fe
Implement get peers with organisation using Slips' DatabaseManager.
d-strat Oct 22, 2024
d1b0161
Merge remote-tracking branch 'origin/david-feature-fides-module-rewri…
d-strat Oct 22, 2024
95a4440
Implement creator for testing database.
d-strat Oct 22, 2024
211f41a
Get TIEvaluation from file using the original configuration-reading m…
d-strat Oct 23, 2024
eea662d
Add save() to Slips' Redis database and accommodate get_for() to the …
d-strat Oct 23, 2024
486e144
Add save() to Slips' Redis database and accommodate get_for() to the …
d-strat Oct 23, 2024
877413f
Add backup of SLipsThreatIntelligence from threat_intelligence.py int…
d-strat Oct 23, 2024
28bb6fd
Add comments
d-strat Oct 23, 2024
a6a53e6
Merge branch 'trust_database_sql_queries' into david-feature-fides-mo…
d-strat Oct 23, 2024
6781468
Add base class for SQlite DB tests
d-strat Oct 24, 2024
0d3f680
Fix __dict__ -> dict
d-strat Oct 24, 2024
50d018a
Fix __dict__ -> dict
d-strat Oct 24, 2024
9fe34d5
Fix __dict__ -> dict
d-strat Oct 24, 2024
54560be
Fix __dict__ -> dict
d-strat Oct 24, 2024
10ea5d3
Fix table-creation-query for PeerTrustData.
d-strat Oct 24, 2024
75d335a
Fix slips threat intelligence test and table
d-strat Oct 24, 2024
a2595b5
Fix test_store_slips_threat_intelligence
d-strat Oct 24, 2024
06c1786
Fix test_get_slips_threat_intelligence_by_target
d-strat Oct 24, 2024
abf6c3f
Make database lock reentrant - atomicity of multi-table-altering queries
d-strat Oct 24, 2024
20e806a
Fix sample values test_get_peer_trust_data
d-strat Oct 24, 2024
923e61b
Fix test values.
d-strat Oct 24, 2024
a3263be
Fix peer info storage
d-strat Oct 24, 2024
90a6bbe
Merge branch 'write-sqlite-db-tests' into david-feature-fides-module-…
d-strat Oct 25, 2024
fcbb524
Merge remote-tracking branch 'upstream/develop' into david-feature-fi…
d-strat Oct 25, 2024
5d0c742
Cleanup and fixes: id access in store_peer_trust_data and Redis call …
d-strat Oct 27, 2024
492c4c3
Make database imports point to the correct database, plus minor fixes
d-strat Oct 31, 2024
8a7ba6a
Merge remote-tracking branch 'upstream/develop' into develop
d-strat Nov 12, 2024
ab34ff7
Merge remote-tracking branch 'upstream/develop' into david-feature-fi…
d-strat Nov 12, 2024
0e40c00
Create a base for fides module testing
d-strat Nov 15, 2024
1490570
Fix Fides sqlite database' logging
d-strat Nov 15, 2024
8d4d2c0
Add pre main test with database cleanup
d-strat Nov 18, 2024
77f02ec
Add descriptions to tests and fidesModule.py
d-strat Nov 19, 2024
ebe5f36
Create a base for fides documentation
d-strat Nov 19, 2024
085aa98
Merge branch 'test-messaging' into develop
d-strat Nov 19, 2024
9743063
Write Fides Module documentation.
d-strat Nov 19, 2024
b4ed358
Fix fide module documentation
d-strat Nov 19, 2024
319f77f
Add Fides' Module database to .gitignore
d-strat Nov 19, 2024
86b2c60
Merge modules/FidesModule from David-enhance-fides-module branch to k…
d-strat Oct 3, 2024
5f80700
Let go, PyCharm knows
d-strat Oct 3, 2024
4c49c28
Trust Databases are now running.
d-strat Oct 3, 2024
7999152
Add all Fides' channels and save progress before implementing new kno…
d-strat Oct 4, 2024
68b013a
Fix Hardcoded path and update gitignore.
d-strat Oct 6, 2024
83ea0c6
Import Changes made during Alya/David meeting.
d-strat Oct 6, 2024
3d955f0
Fix messaging queues or leave them out wherever possible
d-strat Oct 8, 2024
900b373
Cleanup channels and test prints
d-strat Oct 8, 2024
0a07431
Delete outdated codestück
d-strat Oct 8, 2024
0f9fc2f
Fix and update fides module logger to fit current slips.
d-strat Oct 8, 2024
d7e932d
Fix typo in original redis wrapper.
d-strat Oct 8, 2024
e560bc1
Create files and prepare for database implementation.
d-strat Oct 9, 2024
b8f7651
Implement SlipsThreatIntelligenceDatabase, class to get Fides' TI by …
d-strat Oct 10, 2024
7f7a349
Update peer to make it possible to use json.dump on it
d-strat Oct 10, 2024
a0cf1e3
Implement storing and retrieving connected P2P peers.
d-strat Oct 10, 2024
4503911
Delete obsolete messaging interface code
d-strat Oct 11, 2024
c9cad72
Implement storing and retrieving trust data to and from redis database.
d-strat Oct 11, 2024
95ca713
Implement caching of threat intelligence.
d-strat Oct 11, 2024
91ebcc1
Implement base for SQLite database.
d-strat Oct 15, 2024
281ac6d
Implement dictionary conversions.
d-strat Oct 15, 2024
17b69e3
Fix time
d-strat Oct 15, 2024
ddad024
Add dictionary conversions to recommendation_history.py.
d-strat Oct 15, 2024
90e567f
Add sqldatabase to trust.py
d-strat Oct 15, 2024
65a17e2
Write table creation to p2p SQL database.
d-strat Oct 15, 2024
ab974da
Add PeerTrustData table to store corresponding datatype, finish datab…
d-strat Oct 17, 2024
737a6b8
Fix database design, PeerTrustData 1 to many RecommendationHistory, 1…
d-strat Oct 17, 2024
9b0a0fc
Add missing function to template
d-strat Oct 17, 2024
da5b332
Improve storage of PeerInfo list with different use cases in mind. Or…
d-strat Oct 17, 2024
5b37262
Implement connected peers backing up in a SQLite database as well as …
d-strat Oct 17, 2024
bcedebe
Implement get peers with organisation using Slips' DatabaseManager.
d-strat Oct 22, 2024
d25dec5
Get TIEvaluation from file using the original configuration-reading m…
d-strat Oct 23, 2024
cdc1881
Add save() to Slips' Redis database and accommodate get_for() to the …
d-strat Oct 23, 2024
0c44d22
Implement get_peers_with_organisations, functions that gets list of p…
d-strat Oct 18, 2024
0449dcf
Protect query execution from race condition.
d-strat Oct 21, 2024
fd62123
Update database design to be able to stere truly everything.
d-strat Oct 21, 2024
15617e0
Adds a function that gives all peers in form of PeerInfo that have re…
d-strat Oct 22, 2024
aed65ff
Add SQLite fallback for get_peer_trust_data()
d-strat Oct 22, 2024
0ec7150
Add thread safe function that stores data into the SQLite database, t…
d-strat Oct 22, 2024
b4fbf23
Enrobust get_peer_trust_data() function
d-strat Oct 22, 2024
3acaa9b
Add SQLite-equivalent to Redis function to store_peer_trust_data()
d-strat Oct 22, 2024
89b6aa9
Resolve caching TODOs
d-strat Oct 22, 2024
aad1545
Implement creator for testing database.
d-strat Oct 22, 2024
5f38d15
Add backup of SLipsThreatIntelligence from threat_intelligence.py int…
d-strat Oct 23, 2024
193d35c
Add comments
d-strat Oct 23, 2024
0ef55cd
Fix __dict__ -> dict
d-strat Oct 24, 2024
77f47cf
Add base class for SQlite DB tests
d-strat Oct 24, 2024
95fab9d
Fix __dict__ -> dict
d-strat Oct 24, 2024
af72a89
Fix __dict__ -> dict
d-strat Oct 24, 2024
81e0d7b
Fix table-creation-query for PeerTrustData.
d-strat Oct 24, 2024
9d6e44a
Fix slips threat intelligence test and table
d-strat Oct 24, 2024
134bfef
Fix test_store_slips_threat_intelligence
d-strat Oct 24, 2024
5fad83a
Fix test_get_slips_threat_intelligence_by_target
d-strat Oct 24, 2024
4b70607
Make database lock reentrant - atomicity of multi-table-altering queries
d-strat Oct 24, 2024
ad63e96
Fix sample values test_get_peer_trust_data
d-strat Oct 24, 2024
65a5e01
Fix test values.
d-strat Oct 24, 2024
2664757
Fix peer info storage
d-strat Oct 24, 2024
92acabd
Cleanup and fixes: id access in store_peer_trust_data and Redis call …
d-strat Oct 27, 2024
db3419a
Make database imports point to the correct database, plus minor fixes
d-strat Oct 31, 2024
71b673f
Create a base for fides module testing
d-strat Nov 15, 2024
35bbb27
Fix Fides sqlite database' logging
d-strat Nov 15, 2024
e5eedd8
Add pre main test with database cleanup
d-strat Nov 18, 2024
2e84540
Add descriptions to tests and fidesModule.py
d-strat Nov 19, 2024
d352246
Create a base for fides documentation
d-strat Nov 19, 2024
9ade8c8
Write Fides Module documentation.
d-strat Nov 19, 2024
82844d8
Fix fide module documentation
d-strat Nov 19, 2024
a635c49
Add Fides' Module database to .gitignore
d-strat Nov 19, 2024
a20aa10
Merge remote-tracking branch 'origin/develop' into develop
d-strat Nov 19, 2024
76d9610
Fix trust.py after merge
d-strat Nov 19, 2024
5fd111f
Clean the Slips output from network_bridge.py logger
d-strat Nov 19, 2024
ec35135
Addressed PR comments: Fix link in docs
d-strat Nov 21, 2024
2407943
Addressed PR comments: Add description
d-strat Nov 21, 2024
b5d696f
Addressed PR comments: Shorten the description for better readability…
d-strat Nov 21, 2024
1fde730
fides: remove error handling from module's main, use the IModule's tr…
AlyaGomaa Nov 22, 2024
8397fb4
fides: only run on interface and when use_p2p is enabled in slips.yaml
AlyaGomaa Nov 22, 2024
0ce6337
move fides sqlite db tests to the tests/ dir and run them using CI
AlyaGomaa Nov 22, 2024
7f143ef
Make fides_module.md visible in the docs
AlyaGomaa Nov 22, 2024
e44e9a9
pre-commit: exclude sqlite_db.py from ruff
AlyaGomaa Nov 25, 2024
8bcad6f
Fides: cleanup opened threads on temrination
AlyaGomaa Nov 25, 2024
c99e893
Fides: split long lines
AlyaGomaa Nov 25, 2024
afa54f2
p2ptrust: remove pigeon warnings when the pigeon is shutdown graceful…
AlyaGomaa Nov 25, 2024
94f72e2
Cleanup of obsolete files
d-strat Nov 25, 2024
8e59860
Cleanup of obsolete files
d-strat Nov 26, 2024
50ae758
Cleanup of obsolete files
d-strat Nov 26, 2024
466562c
Adding the correct channels to fidesModule.py
d-strat Nov 26, 2024
aab6284
Rename queueF.py to redis_simplex_queue.py in modules/fidesModule/mes…
d-strat Nov 26, 2024
e7647bd
Resurrecting files that were in use
d-strat Nov 26, 2024
d2d473a
Clean up obsolete files from persistence with an E, move the useful o…
d-strat Nov 26, 2024
2af1afa
Rename persistAnce -> persistEnce
d-strat Nov 26, 2024
62f7c54
fides: fix err connecting to new_ip channel
AlyaGomaa Nov 27, 2024
b7e676a
add an option in the config to enable fides instead of enabling it wi…
AlyaGomaa Nov 27, 2024
fb18284
fides: validate IPs before sending to other peers
AlyaGomaa Nov 27, 2024
db85834
update PR with the latest develop
AlyaGomaa Nov 27, 2024
78c2dce
Merge remote-tracking branch 'upstream/develop' into develop
d-strat Nov 29, 2024
7d1bc63
Add finished high level docks for Fides Module.
d-strat Nov 29, 2024
b7fecfb
Add messaging - NetworkBridge, Queue - tests
d-strat Dec 1, 2024
6ad67ce
Merge remote-tracking branch 'upstream/develop' into develop
d-strat Dec 4, 2024
298c3d7
run fides on growing zeek dir
AlyaGomaa Dec 4, 2024
21b21ad
add an integration test for fides
AlyaGomaa Dec 4, 2024
f27db24
Merge remote-tracking branch 'origin/develop' into develop
d-strat Dec 4, 2024
84c2f52
add fides config file for testing
AlyaGomaa Dec 4, 2024
b25ae7a
Merge remote-tracking branch 'origin/develop' into develop
d-strat Dec 4, 2024
77e0c77
Merge remote-tracking branch 'origin/develop' into fork/d-strat/develop
AlyaGomaa Dec 4, 2024
17cebcb
fides: change verbose lvl of fides logs
AlyaGomaa Dec 4, 2024
84aeb29
test_fides: countdown until sigterm
AlyaGomaa Dec 4, 2024
f61fd1d
rename p2p_db.sqlite and change its location
AlyaGomaa Dec 4, 2024
ad9a31d
update fides test
AlyaGomaa Dec 4, 2024
a960ee1
Merge remote-tracking branch 'origin/develop' into develop
d-strat Dec 4, 2024
5a11178
Add cwd to integration/e2e test for Fides Module
d-strat Dec 5, 2024
bb0cebe
Add temporary receive in fidesModule.py to pass test
d-strat Dec 5, 2024
36864fe
Ignore tmp directory
d-strat Dec 5, 2024
f84c440
Ignore tmp directory fix
d-strat Dec 5, 2024
94dc981
Fix possible cause of crashing
d-strat Dec 5, 2024
642f5b2
.pre-commit-config.yaml: fix exclude regex
AlyaGomaa Dec 5, 2024
f1b7fba
rm output dir after the fides test is done
AlyaGomaa Dec 5, 2024
680ddbe
Merge remote-tracking branch 'd-strat/develop' into fork/d-strat/develop
AlyaGomaa Dec 5, 2024
cde4baa
Add Optional to data handling classes
d-strat Dec 6, 2024
3bc3ce0
Disable sqlite's thread safety feature, own thread safety is implemented
d-strat Dec 6, 2024
a8ee278
Fix id extraction
d-strat Dec 6, 2024
00d8598
fides: move fides_p2p_db.sqlite to the main slips dir instead of the …
AlyaGomaa Dec 9, 2024
fda083b
Merge remote-tracking branch 'origin/develop' into develop
d-strat Dec 23, 2024
557b164
Create proper integration test for Fides module (currently partial as…
d-strat Dec 26, 2024
5d73aa3
Updating gitignore and docks (minor)
d-strat Dec 26, 2024
185b396
Fix fides module (manual integration testing using debugging)
d-strat Dec 29, 2024
3481344
Fixing fides module second test
d-strat Dec 29, 2024
efd594a
Update Fides documentation, add messaging support to programmers notes
d-strat Dec 29, 2024
fadab65
update branch with the latest develop
AlyaGomaa Jan 8, 2025
7353359
evidencehandler.py: remove debugging print
AlyaGomaa Jan 8, 2025
f81fac4
run test_fides in CI
AlyaGomaa Jan 8, 2025
3ff105f
fides: change how new alerts are handled
AlyaGomaa Jan 8, 2025
3b4cf40
FIx database deleting itself
d-strat Jan 10, 2025
920dc97
Write description for the test_trust_recommendation_response test
d-strat Jan 10, 2025
1d687af
Sort out Redis client duplicity
d-strat Jan 10, 2025
ab1efdd
Clear debugging and testing and development code
d-strat Jan 10, 2025
c91022a
test_fides: test test_trust_recommendation_response's abillity to cr…
AlyaGomaa Jan 10, 2025
6f8be5f
test_fides: remove debugging prints from test_trust_recommendation_…
AlyaGomaa Jan 10, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/integration-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@ jobs:
- test_config_files.py
- test_portscans.py
- test_dataset.py
- test_fides.py

steps:
- uses: actions/checkout@v4
Expand Down
2 changes: 2 additions & 0 deletions .github/workflows/unit-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ jobs:
- test_host_ip_manager.py
- test_rnn_cc_detection.py
- test_idea_format.py
- test_fides_sqlite_db.py
- test_fides_module.py

steps:
- uses: actions/checkout@v4
Expand Down
6 changes: 6 additions & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -172,3 +172,9 @@ output/
config-live-macos-*
dataset-private/*
appendonly.aof
/slipsOut/flows.sqlite
/slipsOut/metadata/info.txt
/slipsOut/metadata/slips.yaml
/slipsOut/metadata/whitelist.conf
/p2p_db.sqlite

31 changes: 19 additions & 12 deletions config/slips.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -78,13 +78,13 @@ parameters:
# zeek breaks the connection into smaller connections
tcp_inactivity_timeout: 60
# Should we delete the previously stored data in the DB when we start?
# By default False. Meaning we don't DELETE the DB by default.
# By default false. Meaning we don't DELETE the DB by default.
deletePrevdb: true
# You can remember the data in all the previous runs of the DB if
# you put False.
# you put false.
# Redis will remember as long as the redis server is not down.
# The persistence is in memory, not disk.
# deletePrevdb : False
# deletePrevdb : false
# Set the label for all the flows that are being read.
# For now only normal and malware directly. No option for setting labels
# with a filter
Expand Down Expand Up @@ -154,7 +154,7 @@ detection:
# May lead to false negatives
evidence_detection_threshold: 0.25
# Slips can show a popup/notification with every alert.
popup_alerts: False
popup_alerts: false
#############################
modules:
# List of modules to ignore. By default we always ignore the template!
Expand Down Expand Up @@ -198,7 +198,7 @@ threatintelligence:
# and all TI files are loaded successfully
# this is usefull if you want to ensure that slips doesn't miss the
# detection of any blacklisted IPs
wait_for_TI_to_finish: False
wait_for_TI_to_finish: false
# Default Path to the folder with files holding malcious IPs
# All the files in this folder are read and the IPs are considered malicious
# The format of the files must be, per line: "Number","IP address","Rating",
Expand Down Expand Up @@ -275,7 +275,7 @@ exporting_alerts:
# if your TAXII server is a remote server,
# you can set the port to 443 or 80.
port: 1234
use_https: False
use_https: false
discovery_path: /services/discovery-a
inbox_path: /services/inbox-a
# Collection on the server you want to push stix data to
Expand All @@ -299,8 +299,8 @@ exporting_alerts:
CESNET:
# Slips supports exporting and importing evidence in the IDEA format to/from
# warden servers.
send_alerts: False
receive_alerts: False
send_alerts: false
receive_alerts: false
# warden configuration file. For format instructions check
# yamllint disable-line rule:line-length
# https://stratospherelinuxips.readthedocs.io/en/develop/exporting.html?highlight=exporting# cesnet-sharing
Expand Down Expand Up @@ -346,7 +346,7 @@ Docker:
Profiling:
# [11] CPU profiling
# enable cpu profiling [yes,no]
cpu_profiler_enable: False
cpu_profiler_enable: false
# Available options are [dev,live]
# dev for deterministic profiling. this will give precise information
# about the CPU usage
Expand All @@ -363,16 +363,23 @@ Profiling:
# set the wait time between sampling sequences in seconds (live mode only)
cpu_profiler_sampling_interval: 20
# enable memory profiling [yes,no]
memory_profiler_enable: False
memory_profiler_enable: false
# set profiling mode [dev,live]
memory_profiler_mode: live
# profile all subprocesses [yes,no]
memory_profiler_multiprocess: True
#############################
web_interface:
port: 55000

#############################
global_p2p:
# this is the global p2p's trust model. can only be enabled when
# running slips on an interface
use_fides: false

#############################
P2P:
# create p2p.log with additional info about peer communications?
create_p2p_logfile: False
use_p2p: False
create_p2p_logfile: false
use_p2p: false
192 changes: 192 additions & 0 deletions docs/fides_module.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,192 @@
# Fides module

Traditional network defense systems depend on centralized threat intelligence, which has limitations like single points of failure, inflexibility, and reliance on trust in centralized authorities. Peer-to-peer networks offer an alternative for sharing threat intelligence but face challenges in verifying the trustworthiness of participants, including potential malicious actors.

The Fides Module, based on [Master Theses](https://github.com/stratosphereips/fides/tree/bfac47728172d3a4bbb27a5bb53ceef424e45e4f) on CTU FEL by Lukáš Forst. The goal of this module is to address the challenge of trustworthyness of peers in peer-to-peer networks by providing several trust evaluation models. It evaluates peer behavior, considers membership in trusted organizations, and assesses incoming threat data to determine reliability. Fides aggregates and weights data to enhance intrusion prevention systems, even in adversarial scenarios. Experiments show that Fides can maintain accurate threat intelligence even when 75% of the network is controlled by malicious actors, assuming the remaining 25% are trusted.

This readme provides a shallow overview of the code structure, to briefly document the code for future developers. The whole architecture was thoroughly documented in the thesis itself, which can be downloaded from the link above.

## Docker direct use
You can use Slips with Fides Module by allowing it in the Slips config file or by using the following commands.

```
docker pull stratosphereips/slips
docker run -it --rm --net=host --cap-add=NET_ADMIN stratosphereips/slips
```

For the Fides Module enabled you should use ```--cap-add=NET_ADMIN```

## Installation:

```
docker pull stratosphereips/slips
docker run -it --rm --net=host --use_fides=True stratosphereips/slips
```
***NOTE***

If you plan on using the Fides Module, lease be aware that it is used only
if Slips is running on an interface. The `--use_fides=True` is ignored when Slips is run on a file.

### Configuration
Evaluation model, evaluation thrash-holds and other configuration is located in fides.conf.yml

**Possible threat intelligence evaluation models**

| **Model Name** | **Description** |
|:-----------------------|--------------------------------------------------------------|
| `average` | Average Confidence Trust Intelligence Aggregation |
| `weightedAverage` | Weighted Average Confidence Trust Intelligence Aggregation |
| `stdevFromScore` | Standard Deviation From Score Trust Intelligence Aggregation |

## Usage in Slips

Fides is inactive by default in Spips.

To enable it, change ```use_fides=False``` to ```use_fides=True``` in ```config/slips.yaml```


### **Communication**
The module uses Slips' Redis to receive and send messages related to trust intelligence, evaluation of trust in peers and alert message dispatch.

**Used Channels**
odules/fidesModule/messaging/message_handler.py
| **Slips Channel Name** | **Purpose** |
|-----------------|-------------------------------------------------------------------------|
| `slips2fides` | Provides communication channel from Slips to Fides |
| `fides2slips` | Enables the Fides Module to answer requests from slips2fides |
| `network2fides` | Facilitates communication from network (P2P) module to the Fides Module |
| `fides2network` | Lets the Fides Module request network opinions form network modules |

For more details, the code [here](https://github.com/stratosphereips/fides/tree/bfac47728172d3a4bbb27a5bb53ceef424e45e4f/fides/messaging) may be read.


### **Messages**

| **Message type (data['type'])** | **Channel** | **Call/Handle** | **Description** |
|:-------------------------------:|-----------------|-----------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|
| `alert` | `slips2fides` | FidesModule as self.__alerts.dispatch_alert(target=data['target'], confidence=data['confidence'],score=data['score']) | Triggers sending an alert to the network, about given target, which SLips believes to be compromised. |
| `intelligence_request` | `slips2fides` | FidesModule as self.__intelligence.request_data(target=data['target']) | Triggers request of trust intelligence on given target. |
| `tl2nl_alert` | `fides2network` | call dispatch_alert() of AlertProtocol class instance | Broadcasts alert through the network about the target. |
| `tl2nl_intelligence_response` | `fides2network` | NetworkBridge.send_intelligence_response(...) | Shares Intelligence with peer that requested it. |
| `tl2nl_intelligence_request` | `fides2network` | NetworkBridge.send_intelligence_request(...) | Requests network intelligence from the network regarding this target. |
| `tl2nl_recommendation_response` | `fides2network` | NetworkBridge.send_recommendation_response(...) | Responds to given request_id to recipient with recommendation on target. |
| `tl2nl_recommendation_request` | `fides2network` | NetworkBridge.send_recommendation_request(...) | Request recommendation from recipients on given peer. |
| `tl2nl_peers_reliability` | `fides2network` | NetworkBridge.send_peers_reliability(...) | Sends peer reliability, this message is only for network layer and is not dispatched to the network. |


Implementations of Fides_Module-network-communication can be found in modules/fidesModule/messaging/network_bridge.py.

## Project sections

The project is built into Slips as a module and uses Redis for communication. Integration with Slips
is seamless, and it should be easy to adjust the module for use with other IPSs.

- Slips, the Intrusion Prevention System
- Fides Module the trust evaluation module for global p2p interaction


## How it works:

Slips interacts with other slips peers for the following purposes:

### Sharing opinion on peers

If a peers A is asked for its opinion on peer B by peer C, peer A sends the aggregated opinion on peer B to peer C, if there is any.

### Asking for an opinion

Newly connected peer will create a base trust by asking ather peers for opinion.

### Dispatching alerts

If a threat so great it may impact whole network, one or more groups, threat alert is
dispatched to peers, without regard to trust level accumulated on them.

### Answering and receiving requests form global P2P module.

## Logs

Slips contains a minimal log file for reports received by other peers and peer updates in
```output/fidesModule.log```

## Limitations

For now, slips supports the trust intelligence evaluation, global p2p is to be implemented.

## Implementation notes and credit
The mathematical models for trust evaluation were written by Lukáš Forst as part of his theses and can be accessed [here](https://github.com/LukasForst/fides/commits?author=LukasForst).


## TLDR;

Slips (meaning Fides Module here) only shares trust level and confidence (numbers) generated by slips about IPs to the network,
no private information is shared.

## Programmers notes

Variables used in the trust evaluation and its accompanied processes, such as database-backup in persistent SQLite storage and memory persistent
Redis database of Slips, are strings, integers and floats grouped into custom dataclasses. Aforementioned data classes can
be found in modules/fidesModule/model. The reader may find that all of the floating variables are in the interval <-1; 1>
and some of them are between <0; 1>, please refer to the modules/fidesModule/model directory.

The Fides Module is designed to cooperate with a global-peer-to-peer module. The communication is done using Slips' Redis
channel, for more information please refer to communication and messages sections above.

An example of a message answering Fides-Module's opinion request follows.
```
import redis

# connect to redis database 0
redis_client = redis.StrictRedis(host='localhost', port=6379, db=0)

message = '''
{
"type": "nl2tl_intelligence_response",
"version": 1,
"data": [
{
"sender": {
"id": "peer1",
"organisations": ["org_123", "org_456"],
"ip": "192.168.1.1"
},
"payload": {
"intelligence": {
"target": {"type": "server", "value": "192.168.1.10"},
"confidentiality": {"level": 0.8},
"score": 0.5,
"confidence": 0.95
},
"target": "stratosphere.org"
}
},
{
"sender": {
"id": "peer2",
"organisations": ["org_789"],
"ip": "192.168.1.2"
},
"payload": {
"intelligence": {
"target": {"type": "workstation", "value": "192.168.1.20"},
"confidentiality": {"level": 0.7},
"score": -0.85,
"confidence": 0.92
},
"target": "stratosphere.org"
}
}
]
}
'''

# publish the message to the "network2fides" channel
channel = "network2fides"
redis_client.publish(channel, message)

print(f"Message published to channel '{channel}'.")
```

For more information about message handling, please also refer to modules/fidesModule/messaging/message_handler.py
and to modules/fidesModule/messaging/dacite/core.py for message parsing.

14 changes: 6 additions & 8 deletions docs/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,8 @@ This documentation gives an overview how Slips works, how to use it and how to h
- **Detection modules**. Explanation of detection modules in Slips, types of input and output. See :doc:`Detection modules <detection_modules>`.

- **Architecture**. Internal architecture of Slips (profiles, timewindows), the use of Zeek and connection to Redis. See :doc:`Architecture <architecture>`.
- **Training with your own data**. Explanation on how to re-train the machine learning system of Slips with your own traffic (normal or malicious).See :doc:`Training <training>`.

- **Training with your own data**. Explanation on how to re-train the machine learning system of Slips with your own traffic (normal or malicious).See :doc:`Training <training>`.

- **Detections per Flow**. Explanation on how Slips works to make detections on each flow with different techniques. See :doc:`Flow Alerts <flowalerts>`.

Expand All @@ -41,9 +41,9 @@ This documentation gives an overview how Slips works, how to use it and how to h
.. toctree::
:maxdepth: 2
:hidden:
:caption: Slips
self
:caption: Slips

self
installation
usage
architecture
Expand All @@ -59,6 +59,4 @@ This documentation gives an overview how Slips works, how to use it and how to h
FAQ
code_documentation
datasets



fides_module
1 change: 1 addition & 0 deletions modules/fidesModule/__init__.py
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
# This module contains code that is necessary for Slips to use the Fides trust model
Loading
Loading