v1.0.1

• fix FP horizontal portscans caused by zeek flipping connections
• Fix Duplicate evidence in multiple alerts
• Fix FP urlhaus detetcions, now we use it to check urls only, not domains.
• Fix md5 urlhaus lookups
• add support for sha256 hashes in files.log generated by zeek
• Add detection of weird HTTP methods
• Fix race condition trying to update TI files when running multiple slips instances
• Fix having multiple port scan alerts with the same timestamp
• Add detection for non-SSL connections on port 443
• Add detection for non-HTTP connections on port 80
• P2P can now work without adding the p2p4slips binary to PATH
• Add detection for connections to private IPs from private IPs
• Add detection of high entropy DNS TXT answers
• Add detection of connections to/from IPs outside the used local network.
• Add detection for DHCP scans
• Add detection for devices changing IPs.
• Support having IP ranges in your own local TI file own_malicious_iocs.csv
• Remove rstcloud TI file from slips.conf
• Add the option to change pastebin download detection threshold in slips.conf
• Add the option to change shannon entropy threshold detection threshold in slips.conf
• Store zeek files in the output directory by default
• Portscan detector is now called network service discovery
• Move all TI feeds to their separate files in the config/ directory for easier use
• Add the option to start slips web interface automatically using -w
• Fix multiple SSH client versions detection
• Add detection of IPs using multiple SSH server versions
• Wait 30 mins before the first connection without DNS evidence
• Optimize code and performance
• Update Kalispo dependencies to use more secure versions
• Change the rstcloud feed to https://raw.githubusercontent.com/rstcloud/rstthreats/master/feeds/full/random100_ioc_ip_latest.json

v1.0.0

• Add -g option for running slips on growing zeek dirs. (for example dirs generated by zeek running on an interface)
• Add a new log file p2p_reports.log, for logging peer reports only
• Add Detection of SSH password guessing by slips in addition to zeek
• Add Dockerfiles for MacOS M1
• Add support for hosts outside of the network in zeek generated software.log
• Alerts now contain attacks done by the profile only (excluding those done to the profile)
• Blacklist IP used by blackmatter for exfiltration in config/own_malicious_iocs
• Change colors and CLI evidence format
• Create profiles for all IPs by default (source and destination IPs)
• Create profiles for all ips reported by peers
• Detect empty connections to duckduckgo used by blackmatter for checking internet connection
• Don't detect 'connection without dns' when running on an interface except for when it's done by your own IP
• Don't force kill all modules when using -P
• Don't stop slips when p2p is enabled but slips is given a file, not an interface.
• Fix P2P and ubutnu-image Dockerfiles
• Fix pastebin downloads detection to include HTTPs too
• Ignore NXDOMAINs dns resolution when checking for 'dns without resolutions'
• Keep track of old peer reports about the same ip
• Make sure the domains that are part of DGA alerts are not whitelisted
• Set evidence for each p2p report in the attackers profile
• Take p2p reports into consideration when deciding to block an IP

v0.9.6

• Add an option to store the zeek log files inside the output dir
• Add support for suricata ssh flows
• Better detection of suspicious user agents
• Detect DNS answers that have a blacklisted IP or CNAME
• Detect ICMP scans in netflow files
• Don't alert ARP scans from the gateway
• Keep track of profiles' past threat levels
• Kill all modules after 15 mins to trying to stop them
• Kill slips on when redis ConnectionError occurs
• Make rotating zeek files configurable. how many days you want to keep the rotated files and how often to rotate
• Remove support for VT hash lookups to save quota
• Support looking up hashes and domains in URLhaus
• Support looking up hashes in Circl.lu
• Support looking up IPs in Spamhaus
• Support running slips on a growing zeek dir. for example a zeek dir of an interface.
• whitelist top tranco top 10k domains for fewer false positive alerts
• Fix false positive connection without DNS
• Fix importing and exporting to warden servers
• Fix P2P
• Fix problem detecting SSH logins by zeek
• Fix reading zeek tab files
• Fix saving the redis database
• Fix vertical portscan detections by zeek
• Fix zeek rotating files on ctrl+c

v0.9.5

• Fix the way we update TI files
• Add a new web interface
• Detect Incompatible certificate CN
• Detect downloads from pastebin with size > 0.012 MBs
• Detect DOS executable downloads from http websites
• Update the mac database automatically
• Support using multiple home network parameters in slips.conf
• Add redis.conf for special redis configurations when running slips
• Improve portscan or ARP scan alerts
• Improve ARPA scan alerts to alert on unique domains
• Add new methods to detect data upload
• Add the option to close all redis servers when slips can't start because all port are unavailable
• Remove support for whitelisting an unsupported org by slips
• Better description of alerts exported to Slack
• Faster Whitelists
• Whitelist connections made by slips causing false positives
• Change the unknown ports detections to detect only established connections
• Change -killall argument behaviour. now supports closing a specific redis port or all of them at once
• Fix exporting module
• Fix false positive resolution without connection alerts
• Fix disabling alerts
• Fix saving and loading the database
• Fix running several slips instances
• Fix stopping the daemon with -S
• Fix how packets are calculated in portscan detections
• Fix 'multiple reconnections attempts' detection to detect 5 or more rejected reconnection attempts to the same IP on the same destination port

v0.9.3

Slips v0.9.3

• Run multiple slips instances on demand using (-m), and use redis port 6379 by default.
• Fix false positive 'DNS resolution without connection' alerts
• Faster Slips and reduced memory and CPU consumption
• Better 'unknown ports' detections
• Faster reading of local TI files
• Fix docker not working in macOS
• Fix problem generating the data upload alerts
• Improve contributing guidelines
• Update microsoft whitelisted IP ranges
• Fix problem stopping input process when slips stops
• Update the locations of GeoIP database in zeek for better zeek detections
• Fix P2P output dir, now it's the same as alerts.log and slips.log
• Update our usage of macvendors.com API
• Whitelist the connections made by slips, so now you won't be alerted when Slips is using virustotal.com or macvendors.com

v0.9.2

Slips v0.9.2

• Add a MacOS dockerfile to be able run Docker in MacOS
• Fix saving the database in MacOS and Linux
• Fix problem updating TI files
• Fix problem starting and stopping the Daemon
• Fix false positive ARP MITM attacks
• Fix problem stopping slips when using whitelists
• Fix problem opening unused redis ports

v0.9.1

Slips v0.9.1:

• Drop root privileges in modules that don't need them
• Added support for running slips in the background as a daemon
• Fix the issue of growing zeek logs by deleting old zeek logs every 1 day. (optional but enabled by default)
• Added support for running several instances of slips at the same time.
• Saving and loading the db in macos
• Fix reading flows from stdin, now it supports zeek, argus and suricata
• Faster Startup of slips, now slips updates the TI files in the background
• Added slips.log where all Slips logs goes. in daemon and interactive mode
• Automatic starting of redis servers (cache and main databases).
• Added a new TI file https://hole.cert.pl/domains/domains.json
• Update the docs and added instructions for contributing and creating a new module