You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/flowalerts.md
+24-6Lines changed: 24 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -62,14 +62,20 @@ This detection will ignore certain IP addresses for which a connection without D
62
62
63
63
DNS resolutions of well known orgs might be done using DoH, in this case, slips
64
64
doesn't know about the DNS resolution because the resolved domain won't be in dns.log
65
-
so we simply ignore alerts of this type when connected to well known organizations. In particular Facebook, Apple, Google, Twitter, and Microsoft.
65
+
so we simply ignore alerts of this type when connected to well known organizations.
66
+
In particular Facebook, Apple, Google, Twitter, and Microsoft.
66
67
67
-
Slips uses it's own lists of organizations and information about them (IPs, IP ranges, domains, and ASNs). They are stored in ```slips_files/organizations_info``` and they are used to check whether the IP/domain of each flow belong to a known org or not.
68
+
Slips uses it's own lists of organizations and information about them (IPs, IP ranges, domains, and ASNs).
69
+
They are stored in ```slips_files/organizations_info``` and they are used to check whether the IP/domain
70
+
of each flow belong to a known org or not.
71
+
72
+
Slips also doesn't detect connection without DNS to any domain in the tranco whitelist.
68
73
69
74
Slips doesn't detect 'connection without DNS' when running
70
-
on an interface except for when it's done by this instance's own IP and only after 30 minutes has passed to avoid false positives (assuming the DNS resolution of these connections did happen before slips started).
75
+
on an interface except for when it's done by this instance's own IP and only after 30 minutes has passed
76
+
to avoid false positives (assuming the DNS resolution of these connections did happen before slips started).
2. If all bytes sent in a SSH connection is more than 4290 bytes
82
88
83
89
## DNS resolutions without a connection
84
-
This will detect DNS resolutions for which no further connection was done. A resolution without a usage is slightly suspicious.
90
+
This will detect DNS resolutions for which no further connection was done.
91
+
A resolution without a usage is slightly suspicious.
85
92
86
93
The domains that are excepted are:
87
94
@@ -93,8 +100,19 @@ The domains that are excepted are:
93
100
- Ignore domains without a TLD such as the Chrome test domains.
94
101
95
102
Slips doesn't detect 'DNS resolutions without a connection' when running
96
-
on an interface except for when it's done by this instance's own IP and only after 5 minutes has passed to avoid false positives (assuming the connection did happen and yet to be logged).
103
+
on an interface except for when it's done by this instance's own IP and only after 30 minutes has passed to
104
+
avoid false positives (assuming the connection did happen and yet to be logged).
105
+
106
+
107
+
When running on interface and files. For each DNS flow found, slips waits 30 mins zeek time
108
+
for the connection to be found before setting an evidence.
109
+
110
+
This is done by comparing each ts of every new dns flow to the pending detection, once 30 mins difference between the 2
111
+
flows is detected, slips sets the evidence.
97
112
113
+
To avoid accumulating so many pending DNS flows for 30 mins, slips checks if the connection of the pending DNS flows
114
+
arrived every 10 and 20 mins too, if not found, slips waits extra 10 mins (so that would be 30 mins total) and sets the
0 commit comments