Merge pull request #1679 from stratosphereips/develop

Slips v1.1.15

Author: AlyaGomaa

.github/workflows/integration-tests.yml

@@ -89,7 +89,7 @@ jobs:
 
     - name: Upload Artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: ${{ matrix.test_file }}-integration-tests-output
         path: |

.github/workflows/unit-tests.yml

@@ -143,7 +143,7 @@ jobs:
 
     - name: Upload Artifacts
       if: always()
-      uses: actions/upload-artifact@v4
+      uses: actions/upload-artifact@v5
       with:
         name: test_slips_locally-integration-tests-output
         path: |

.pre-commit-config.yaml

@@ -41,7 +41,7 @@ repos:
       rev: v1.35.1
       hooks:
         - id: yamllint
-          args: ["-d", "{rules: {line-length: {max: 100}}}"]
+          args: ["-d", "{rules: {line-length: {max: 160}}}"]
           files: "slips.yaml"
 
 - repo: local

CHANGELOG.md

@@ -1,3 +1,8 @@
+1.1.15 (Oct 31st, 2025)
+- Fix FP connection to port 0 for IGMP flows.
+- Support monitoring two interfaces when Slips is running as an access point.
+- Improve running slips on a growing zeek directory (using -g): Slips can now detect the interface, host IP and gateway IP.
+
 1.1.14 (Oct 14th, 2025)
 - Security Patch for CVE-2025-49844: Force use of Redis version 8.2.2
 

README.md

@@ -1,5 +1,5 @@
 <h1 align="center">
-Slips v1.1.14
+Slips v1.1.15
 </h1>
 
 

VERSION

@@ -1 +1 @@
-1.1.14
+1.1.15

conftest.py

@@ -71,23 +71,24 @@ def profiler_queue():
 def flow():
     """returns a dummy flow for testing"""
     return Conn(
-        "1601998398.945854",
-        "1234",
-        "192.168.1.1",
-        "8.8.8.8",
-        5,
-        "TCP",
-        "dhcp",
-        80,
-        88,
-        20,
-        20,
-        20,
-        20,
-        "",
-        "",
-        "Established",
-        "",
+        starttime="1601998398.945854",
+        uid="1234",
+        saddr="192.168.1.1",
+        daddr="8.8.8.8",
+        dur=5,
+        proto="TCP",
+        appproto="dhcp",
+        sport=80,
+        dport=88,
+        spkts=20,
+        dpkts=20,
+        sbytes=20,
+        dbytes=20,
+        state="Established",
+        history="",
+        smac="",
+        dmac="",
+        interface="eth0",
     )
 
 

docs/architecture.md

@@ -89,7 +89,13 @@ This is what slips stores for each IP/Profile it creates:
 
 When running Slips, the alerts you see in red in the CLI or at the very bottom in kalispo, are a bunch of evidence. Evidence in slips are detections caused by a specific IP in a specific timeframe. Slips doesn't alert on every evidence/detection. it accumulates evidence and only generates and alert when the amount of gathered evidence crosses a threshold. After this threshold Slips generates an alert, marks the timewindow as malicious(displays it in red in kalipso and the web interface) and blocks the IP causing the alert if iptables is enabled.
 
-Each alert has a threat level and confidence; the Threat level of each alert is Critical by default, and the confidence is the accumulated threat level of all the evidence of the alert normalized to a value ranging from 0 to 1. The more evidence the higher the confidence of the alert.
+Each alert has a threat level and confidence; the Threat level of each alert is Critical by default,
+and the confidence is the accumulated threat level of all the evidence of the alert normalized to a value
+ranging from 0 to 1. The more evidence the higher the confidence of the alert.
+
+NOTE: When slips is runnign with -ap, evidence are tied to one interface,
+meaning each evidence belongs to a flow that belongs to one interface.
+Meanwhile an alert contains evidence from different interfaces.
 
 ### Usage of Zeek.