stratosphereips
diff --git a/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 1 deletion b/‎.pre-commit-config.yaml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 1 addition & 1 deletion b/‎README.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/create_new_module.md‎
Lines changed: 141 additions & 139 deletions b/‎docs/create_new_module.md‎
Lines changed: 141 additions & 139 deletions
diff --git a/‎docs/images/immune/a5/scenario_demonstrating_self_defense.jpg‎
107 KB b/‎docs/images/immune/a5/scenario_demonstrating_self_defense.jpg‎
107 KB
diff --git a/‎docs/images/slips.gif‎
-1.9 MB b/‎docs/images/slips.gif‎
-1.9 MB
diff --git a/‎docs/immune/Immune.md‎
Lines changed: 2 additions & 0 deletions b/‎docs/immune/Immune.md‎
Lines changed: 2 additions & 0 deletions
@@ -35,7 +35,7 @@ repos:
           args: ['--line-length' , '79']
           language_version: python3.12.3
           # excludes formatting slips_files/common/imports.py
-          exclude: (imports|conftest.py)
+          exclude: (imports|conftest.py|tests/*.py)
 
 -     repo: https://github.com/adrienverge/yamllint.git
       rev: v1.35.1
 
@@ -1,3 +1,9 @@
+1.1.12 (July 31st, 2025)
+- Better filtering of attacks in the ARP poisoner filter and excluded poisoning the gateway.
+- Cache ARP scan results to avoid flooding the network with ARP packets.
+- Increase the delay between ARP poisoning attempts to avoid flooding the network.
+- Local P2P trust model improvements.
+
 1.1.11 (July 3rd, 2025)
 - Fix local P2P trust model.
 - Fix SQLite cursor errors.
 
@@ -1,5 +1,5 @@
 <h1 align="center">
-Slips v1.1.11
+Slips v1.1.12
 </h1>
 
 
 
@@ -1 +1 @@
-1.1.11
+1.1.12
@@ -144,11 +144,13 @@ def init(self):
 ```
 
 ```python
-  def pre_main(self):
-        """
-        Initializations that run only once before the main() function runs in a loop
-        """
-        utils.drop_root_privs()
+  def pre_main(
+	self
+	):
+	"""
+    Initializations that run only once before the main() function runs in a loop
+    """
+	utils.drop_root_privs_permanently()
 
 ```
 
@@ -367,147 +369,147 @@ from slips_files.common.flow_classifier import FlowClassifier
 from slips_files.core.structures.evidence import
 
 (
-    Evidence,
-    ProfileID,
-    TimeWindow,
-    Victim,
-    Attacker,
-    ThreatLevel,
-    EvidenceType,
-    IoCType,
-    Direction,
-    )
+	Evidence,
+	ProfileID,
+	TimeWindow,
+	Victim,
+	Attacker,
+	ThreatLevel,
+	EvidenceType,
+	IoCType,
+	Direction,
+	)
 from slips_files.common.parsers.config_parser import ConfigParser
 from slips_files.common.slips_utils import utils
 from slips_files.common.abstracts.imodule import IModule
 
 
 class LocalConnectionDetector(
-    IModule
-    ):
-    # Name: short name of the module. Do not use spaces
-    name = 'local_connection_detector'
-    description = 'detects connections to other devices in your local network'
-    authors = ['Template Author']
-
-
-    def init(
-        self
-        ):
-        # To which channels do you want to subscribe? When a message
-        # arrives on the channel the module will receive a msg
-
-        # You can find the full list of channels at
-        # slips_files/core/database/redis_db/database.py
-        self.c1 = self.db.subscribe(
-            'new_flow'
-            )
-        self.channels = {
-            'new_flow': self.c1,
-            }
-        # to be able to convert flows from dict format to objects
-        self.classifier = FlowClassifier()
-
-
-    def pre_main(
-        self
-        ):
-        """
+	IModule
+	):
+	# Name: short name of the module. Do not use spaces
+	name = 'local_connection_detector'
+	description = 'detects connections to other devices in your local network'
+	authors = ['Template Author']
+
+
+	def init(
+		self
+		):
+		# To which channels do you want to subscribe? When a message
+		# arrives on the channel the module will receive a msg
+
+		# You can find the full list of channels at
+		# slips_files/core/database/redis_db/database.py
+		self.c1 = self.db.subscribe(
+			'new_flow'
+			)
+		self.channels = {
+			'new_flow': self.c1,
+			}
+		# to be able to convert flows from dict format to objects
+		self.classifier = FlowClassifier()
+
+
+	def pre_main(
+		self
+		):
+		"""
         Initializations that run only once before the main() function runs in a loop
         """
-        utils.drop_root_privs()
-
-
-    def main(
-        self
-        ):
-        """Main loop function"""
-        if msg := self.get_msg(
-                'new_flow'
-                ):
-            msg = json.loads(
-                msg['data']
-                )
-            # convert the given dict flow to a flow object
-            flow = self.classifier.convert_to_flow_obj(
-                msg["flow"]
-                )
-            saddr = flow.saddr
-            daddr = flow.daddr
-            timestamp = flow.starttime
-            srcip_obj = ipaddress.ip_address(
-                saddr
-                )
-            dstip_obj = ipaddress.ip_address(
-                daddr
-                )
-            if srcip_obj.is_private and dstip_obj.is_private:
-                # on a scale of 0 to 1, how confident you are of this evidence
-                confidence = 0.8
-                # how dangerous is this evidence? info, low, medium, high, critical?
-                threat_level = ThreatLevel.HIGH
-
-                # the name of your evidence, you can put any descriptive string here
-                # this is the type we just created
-                evidence_type = EvidenceType.CONNECTION_TO_LOCAL_DEVICE
-                # which ip is the attacker here?
-                attacker = Attacker(
-                    direction=Direction.SRC,
-                    # who's the attacker the src or the dst?
-                    attacker_type=IoCType.IP,
-                    # is it an IP? is it a domain? etc.
-                    value=saddr
-                    # the actual ip/domain/url of the attacker, in our case, this is the IP
-                    )
-                victim = Victim(
-                    direction=Direction.SRC,
-                    ioc_type=IoCType.IP,
-                    value=daddr,
-                    )
-                # describe the evidence
-                description = f'A connection to a local device {daddr}'
-                # the current profile is the source ip,
-                # this comes in the msg received in the channel
-                # the profile this evidence should be in, should be the profile of the attacker
-                # because this is evidence that this profile is attacker others right?
-                profile = ProfileID(
-                    ip=saddr
-                    )
-                # Profiles are split into timewindows, each timewindow is 1h,
-                # this if of the timewindwo comes in the msg received in the channel
-                twid_number = int(
-                    msg['twid'].replace(
-                        "timewindow",
-                        ''
-                        )
-                    )
-                timewindow = TimeWindow(
-                    number=twid_number
-                    )
-                # list of uids of the flows that are part of this evidence
-                uid_list = [flow.uid]
-                # no use the above info to create the evidence obj
-                evidence = Evidence(
-                    evidence_type=evidence_type,
-                    attacker=attacker,
-                    threat_level=threat_level,
-                    description=description,
-                    victim=victim,
-                    profile=profile,
-                    timewindow=timewindow,
-                    uid=uid_list,
-                    # when did this evidence happen? use the
-                    # flow's ts detected by zeek
-                    # this comes in the msg received in the channel
-                    timestamp=timestamp,
-                    confidence=confidence
-                    )
-                self.db.set_evidence(
-                    evidence
-                    )
-                self.print(
-                    "Done setting evidence!!!"
-                    )
+		utils.drop_root_privs_permanently()
+
+
+	def main(
+		self
+		):
+		"""Main loop function"""
+		if msg := self.get_msg(
+				'new_flow'
+				):
+			msg = json.loads(
+				msg['data']
+				)
+			# convert the given dict flow to a flow object
+			flow = self.classifier.convert_to_flow_obj(
+				msg["flow"]
+				)
+			saddr = flow.saddr
+			daddr = flow.daddr
+			timestamp = flow.starttime
+			srcip_obj = ipaddress.ip_address(
+				saddr
+				)
+			dstip_obj = ipaddress.ip_address(
+				daddr
+				)
+			if srcip_obj.is_private and dstip_obj.is_private:
+				# on a scale of 0 to 1, how confident you are of this evidence
+				confidence = 0.8
+				# how dangerous is this evidence? info, low, medium, high, critical?
+				threat_level = ThreatLevel.HIGH
+
+				# the name of your evidence, you can put any descriptive string here
+				# this is the type we just created
+				evidence_type = EvidenceType.CONNECTION_TO_LOCAL_DEVICE
+				# which ip is the attacker here?
+				attacker = Attacker(
+					direction=Direction.SRC,
+					# who's the attacker the src or the dst?
+					attacker_type=IoCType.IP,
+					# is it an IP? is it a domain? etc.
+					value=saddr
+					# the actual ip/domain/url of the attacker, in our case, this is the IP
+					)
+				victim = Victim(
+					direction=Direction.SRC,
+					ioc_type=IoCType.IP,
+					value=daddr,
+					)
+				# describe the evidence
+				description = f'A connection to a local device {daddr}'
+				# the current profile is the source ip,
+				# this comes in the msg received in the channel
+				# the profile this evidence should be in, should be the profile of the attacker
+				# because this is evidence that this profile is attacker others right?
+				profile = ProfileID(
+					ip=saddr
+					)
+				# Profiles are split into timewindows, each timewindow is 1h,
+				# this if of the timewindwo comes in the msg received in the channel
+				twid_number = int(
+					msg['twid'].replace(
+						"timewindow",
+						''
+						)
+					)
+				timewindow = TimeWindow(
+					number=twid_number
+					)
+				# list of uids of the flows that are part of this evidence
+				uid_list = [flow.uid]
+				# no use the above info to create the evidence obj
+				evidence = Evidence(
+					evidence_type=evidence_type,
+					attacker=attacker,
+					threat_level=threat_level,
+					description=description,
+					victim=victim,
+					profile=profile,
+					timewindow=timewindow,
+					uid=uid_list,
+					# when did this evidence happen? use the
+					# flow's ts detected by zeek
+					# this comes in the msg received in the channel
+					timestamp=timestamp,
+					confidence=confidence
+					)
+				self.db.set_evidence(
+					evidence
+					)
+				self.print(
+					"Done setting evidence!!!"
+					)
 ```
 
 All good, you can find your evidence now in alerts.json and alerts.log of the output directory.
@@ -531,7 +533,7 @@ Now here's the ```pre_main()``` function, all initializations like dropping root
 should be done here
 
 ```python
-utils.drop_root_privs()
+utils.drop_root_privs_permanently()
  ```
 the above line is responsible for dropping root privileges,
 so if slips starts with sudo and the module doesn't need the root permissions, we drop them.
 
@@ -6,4 +6,6 @@
 - [Installing Slips On the RPI](https://stratospherelinuxips.readthedocs.io/en/develop/immune/installing_slips_in_the_rpi.html)
 - [LLM Research and Selection](https://stratospherelinuxips.readthedocs.io/en/develop/immune/research_and_selection_of_llm_candidates.html)
 - [LLM RPI Performance](https://stratospherelinuxips.readthedocs.io/en/develop/immune/research_rpi_llm_performance.html)
+- [LLM RPI Finetuning Frameworks](https://stratospherelinuxips.readthedocs.io/en/develop/immune/finetuning_frameworks_rpi_5.html)
 - [ARP Poisoning](https://stratospherelinuxips.readthedocs.io/en/develop/immune/arp_poisoning.html)
+- [ARP Poisoning Risks](https://stratospherelinuxips.readthedocs.io/en/develop/immune/arp_poisoning_risks.html)