v1.1.5

• 200x times speedup of domain lookups in the threat intelligence module.
• Add a threat level and confidence to each alert.
• Add evidence for CN and hostname mismatch in SSL flows.
• Add multiple telnet reconnection attempts detection.
• Add support to IP ranges as the client_ip in slips.yaml
• Alert "invalid DNS answer" on all private DNS answers.
• Don't alert "high entropy TXT answers" for flows from multicast IPs.
• Fix multiple reconnection attempts detection.
• Fix problem downloading the latest MAC database from macvendors.com
• Improve the detection of the Gateway IP and MAC when running on files and PCAPs.
• Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.
• Split the "connection to/from blacklisted IPs" detection into two different evidence with different threat levels.
• Update Slips internal list of Apple known ports.

v1.1.4

• Fix changing the used database in the web interface.
• Reduce false positive evidence about malicious downloaded files.
• Fix datetime errors when running on an interface.
• Improve the detection of "DNS without connection".
• Add support for a light Slips docker image.

v1.1.3

• Enhance Slips shutdown process for smoother operations.
• Optimize resource management in Slips, resolving issues with lingering threads in memory.
• Remove the progress bar; Slips now provides regular statistical updates.
• Improve unit testing—special thanks to @Sekhar-Kumar-Dash.
• Drop support for macOS, P2P, and platform-specific Docker images. A unified Docker image is now available for all platforms.
• Correct the number of evidence reported in statistics.
• Fix incorrect end date reported in metadata/info.txt upon analysis completion.
• Print more information to CLI on Slips startup, including network details, client IP, thresholds used, and more.
• Reduce false positives from Spamhaus by looking up inbound traffic only.
• Speed up horizontal port scan detections.
• Enhance logging of IDMEF errors.
• Resolve issues with the accumulated threat level reported in alerts.json.

v1.1.2

• Add a relation between related evidence in alerts.json
• Better unit tests. Thanks to @Sekhar-Kumar-Dash
• Discontinued MacOS m1 docker images, P2p images, and slips dependencies image.
• Fix the problem of the progress bar stopping before analysis is done, causing Slips to freeze when analyzing large PCAPs.
• Improve how Slips recognizes the current host IP.
• Increase the speed of the Flowalerts module by changing how Slips checks for DNS servers.
• Major code improvements.
• Remove redundant keys from the Redis database.
• Remove unused keys from the Redis database.
• Use IDMEFv2 format in alerts.json instead of IDEA0.
• Wait for modules to finish 1 week by default.

v1.1.1

• Better unit tests. Thanks to @Sekhar-Kumar-Dash.
• Fix Slips installation script at install/install.sh
• Fix the issue of the flowalerts module not analyzing all given conn.log flows.
• Fix the Zeek warning caused by one of the loaded Zeek scripts.
• Improve how Slips validates domains taken from TI feeds.
• Improve whitelists.
• Update Python dependencies.
• Better handling of connections to the Redis database.

v1.1

• Update Python version to 3.10.12 and all the Python libraries used by Slips.
• Update nodejs and Zeek.
• Improve the stopping of Slips. Modules now have more time to process flows.
• Fix database unit tests overwriting redis configuration file.
• New configuration file format, Slips is now using YAML thanks to @patel-lay.
• Better unit tests. thanks to @Sekhar-Kumar-Dash.
• GitHub workflow improvements.
• Fix the RNN module and add a new model.
• Horizontal port scan detection improvements.

v1.0.15

• Add a Parameter to export strato letters to re-train the RNN model.
• Better organization of flowalerts module by splitting it into many specialized files.
• Better unit tests. thanks to @Sekhar-Kumar-Dash
• Disable "Connection without DNS resolution" evidence to DNS servers.
• Fix displaying "Failed" as the protocol name in the web interface when reading Suricata flows.
• Fix problem reversing source and destination addresses in JA3 evidence description.
• Improve CI by using more parallelization.
• Improve non-SSL and non-HTTP detections by making sure that the sum of bytes sent and received is zero.
• Improve RNN evidence description, now it's more clear which IP is the botnet, and which is the C&C server.
• Improve some threat levels of evidence to reduce false positives.
• Improve whitelists. Better matching, more domains added, reduced false positives.
• More minimal Slips notifications, now Slips displays the alert description instead of all evidence in the alert.
• The port of the web interface is now configurable in slips.conf

v1.0.14

• Improve whitelists by better matching of ASNs, domains, and organizations.
• Whitelist Microsoft, Apple, Twitter, Facebook, and Google alerts by default to reduce false positives.
• Better unit tests. Thanks to @Sekhar-Kumar-Dash
• Speed up port scan detections.
• Fix the issue of overwriting Redis configuration file every run.
• Add more info to metadata/info.txt for each run.

v1.0.13

• Whitelist alerts to all organizations by default to reduce false positives.
• Improve and compress Slips Docker images.
• Improve CI and add pre-commit hooks.
• Fix problem reporting victims in alerts.json.
• Better docs for the threat intelligence module.
• Improve whitelists.
• Better detection threshold to reduce false positives.
• Better unit tests.
• Fix problems stopping the daemon.

v1.0.12

• Add an option to specify the current client IP in slips.conf to help avoid false positives.
• Better handling of URLhaus threat intelligence.
• Change how slips determines the local network of the current client IP.
• Fix issues with the progress bar.
• Fix problem logging alerts and errors to alerts.log and erros.log.
• Fix problem reporting evidence to other peers.
• Fix problem starting the web interface.
• Fix whitelists.
• Improve how the evidence for young domain detections is set.
• Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
• Set evidence to all young domain IPs when a connection to a young domain is found.
• Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
• Use blacklist name instead of IP description in all evidence.
• Use the latest Redis and NodeJS version in all docker images.