The redis python function "get_message()" does not work with argument "timeout=None".
It throws following error:
"
Error in run() of unsupported operand type(s) for *: 'NoneType' and 'int'
"
The "get_message(timeout=None)" will wait (proccess is freezed) until new message arrives.

With the reading Argus and Bro flows read also the flows from Suricata.

It should be possible to read as input the lines of Bro conn.log files that are separeted by TAB chars. But for some reason they are not working.

When printing or using the flows, compute the applications bytes transferred compared to the total amount of bytes

Any idea what is minimum number of network streams should be retained in practical deployments ? For example currently I see that Argus output is being used as input for SLIPS.py .

What is minimum duration or number of streams that argus should capture for SLIPS.py to start detecting attacks ? What is the maximum duration the streams should be retained ?

These parameters define whether it could be run inline mode ? or streams should be exported to offline server

1. Platforms: slips has also been tested in Ubuntu 16.04 LTS. Also is it OSX 10.9.5 (not IOS)?
2. Usage: In Debian and Ubuntu the command to install argus is sudo apt-get install argus-server argus-clients. Unfortunately this installs the previous version of argus (2.x). Maybe we should add the required version and put a note that it might be better to install from source.
3. Features: the '-m' switch is mentioned in two places but I think this is '-f'.
4. TODO: if these issues have been solved, maybe we should remove them or replace them with the list of wanted features.

We need a whois module that gets each IP address in the profiles, check to which network it belongs, check the local cache of whois data and if there is no match, ask the whois servers.

The data should be in the Redis database.
The module should run as an independent process in the background.

When this condition happens repeatedly:

• Same src ip connects to the same dst ip, in the same dst port, with not established flows
  Then we count those flows for the port scan detection.
  However, this can also be when a computer loses internet connection and is just retrying.

Since this does not qualifies as a port scan, the port scanner module should not consider these type of flows as part of the port scan count.

Sometimes the first counter of TW modified is 1 too many.

Hi

From the blog, https://stratosphereips.org/stratosphere-ips-generation-of-the-behavioral-models.html
I see that special training methods were employed to determine the feature thresholds(size, duration, periodicity). Any reference to those methods shall be very helpful.

Thanks
Sachin

It seems that when creating the TW, we are using the real time of the machine and not the time of the flows. The TW should use the time of the flows.

Implement an algorithm that can recognize which src IPs in the network are NATing other computers. This can be done by:

• Seeing that there are different operating systems using the same IP
• The amount of traffic compares with 2x, 3x, 4x more traffic that other computers alone.
• The timings of the traffic do not correspond with one human, but with many.

This is of course prone to errors because of the heuristics, but it will work in most cases with NATed networks of more than 5 computers.

This should be a module probably.

Add to slips the capability to load new modules and run them as processes.

The idea is to read a folder and load each python file there as a separate process.

We should provide:

• An API that the modules can use to access the database.
• A template for a new module to be created, so people knows how to create new modules
• An API for the output: new file, add to profile, etc.

Implement in the main code and database.py file a pubsub mechanism (https://redis.io/topics/pubsub)
This will allow part of slips and the modules to ask for specific events to happen in the DB to act. Instead of searching the DB for some data, you can ask the DB to wake you up when the data arrives or changes.

For example, if your module wants to check the country of the src IPS you can ask the DB to call you back for each new src IP received (even maybe each new unique src IP received). This would decrease the work of the modules.

When dealing with features of inbound flows, print the srcip that sent the flow instead of the dst ip that received. For example in the profile of IP 34.253.54.22, it received flows from others computers to it, but the timeline says:

• https asked to 34.253.54.22 443/tcp, Size: 42.56Kb, Country: Unknown, ASN Org: Amazon.com, Inc.

The IP in the timeline should have been the srcip sending it. Not the dstip receiving it.

The letters of the stratosphere behavior idea on the tuples are not correctly created. We need to fix how we are computing the time difference between flows, the size of flows and durations and use this to create the letters.

Now the implementation is half finished, but all the letters are 'a'.

If zeek (bro) is not visilble for slips, it throws error. Test it on the beginning and say to user. Also add instruction to README how to do it.

Implement a whitelist of IPs that should be completely ignored.

This should go in the main slips core files, not a module. And the ignoration of the flow should be as fast as possible in the processing of flows (probably the first thing done in the profiler)

We can have options for SRC IP whitelist, DST IP whitelist, or BOTH.
If it is BOTH:

• Ignore any flow/packet coming from or to this IP

If it is SRC IP:

• If a flow arrives coming from this SRC IP, ignore the flow.
• If a flow arrives coming for this DST IP, consider the flow

If it is DST IP:

• If a flow arrives coming from this SRC IP, consider the flow
• If a flow arrives coming for this DST IP, ignore the flow.

This issue refers to newslips branch

If we are not given a file with -r, or a stdin file, we should stop the execution.

When a port scan is detected, the portscan is printed many times after it finished.

For each Dst ip , have some info on the threat level of the ip.

Two ways to implement:

1- Download files of Feed information from some sources. And check the ip on them. For example https://threatfeeds.io/
2- Ask directly to Threat intel sources like VirusTotal, etc.

The port scan module uses the feature ClientDstPortTCPNotEstablished to detect some type of port scan. However this feature is a sum for all the IPs that were destinations for these ports. Therefore we can not know which flows triggered the port scan.

Check if "zeek_files" folder exists if not create new one.

If "zeek_files" folder does not exist, slips does not create new "zeek_files" folder so it throws error. Is it for purpose?

Our processes do not block on the queues yet, so when there is no data to receive they eat the CPU.
But we need them to processes the input data as fast as possible.

https://travis-ci.com/

Now the port scan module detects amount of packets, but they are not related to the width of the time window. So 10 packets per millisecond are the same as 10 packets per day.

The problem is that data processing can take time and happen much after the input ended. Ideas:

• Each process realize that there is nothing more to do and just stop. (depends too much on the developer of the module)
• The main process realize that a module is getting out of plan and stops it. (central control)
• Ask each module?

This list of features should be implemented:

clientDestinationPortTotalBytesUDPEstablished
clientDestinationPortNumberOfFlowsTCPEstablished
clientDestinationPortNumberOfFlowsUDPNotEstablished
clientDestinationPortTotalPacketsTCPEstablished
clientDestinationPortNumberOfFlowsUDPEstablished
clientDestinationPortTotalPacketsTCPNotEstablished
clientDestinationPortTotalBytesUDPNotEstablished
clientDestinationPortTotalBytesTCPEstablished
clientDestinationPortTotalPacketsUDPNotEstablished
clientDestinationPortNumberOfFlowsTCPNotEstablished
clientDestinationPortTotalBytesTCPNotEstablished
clientDestinationPortTotalPacketsUDPEstablished

Not sure which ones we are already reading from the flow file or are in the DB. Check