Merge remote-tracking branch 'origin/develop' into develop

Author: AlyaGomaa

.github/workflows/install-slips-dependencies.yml

@@ -35,7 +35,9 @@ jobs:
       run: sysctl vm.overcommit_memory=1
 
     - name: Install APT dependencies
-      run: sudo apt-get update --fix-missing && sudo apt-get -y --no-install-recommends install $(cat install/apt_dependencies.txt)
+      run: |
+        sudo apt-get update --fix-missing && sudo apt-get -y --no-install-recommends install $(cat install/apt_dependencies.txt)
+        sudo apt-get -y install font-manager
 
     - name: Save APT Cache
       uses: actions/cache@v4

config/slips.yaml

@@ -239,7 +239,7 @@ threatintelligence:
    # 2 weeks = 604800 seconds
    mac_db_update : 1209600
 
-   mac_db : https://maclookup.app/downloads/json-database/get-db?t=22-08-19&h=d1d39c52de447a7e7194331f379e1e99f94f35f1
+   mac_db : https://maclookup.app/downloads/json-database/get-db?t=24-11-28&h=26271dbc3529f006a4be021ec4cf99fab16e39cd
 
    # the file that contains all our TI feeds URLs and their threat level
    ti_files : config/TI_feeds.csv

modules/flowalerts/set_evidence.py

@@ -1351,8 +1351,6 @@ def malicious_ssl(self, twid, flow, ssl_info_from_db: str) -> None:
             timewindow=TimeWindow(number=int(twid.replace("timewindow", ""))),
             uid=[flow.uid],
             timestamp=flow.starttime,
-            src_port=flow.sport,
-            dst_port=flow.dport,
         )
 
         self.db.set_evidence(evidence)
@@ -1373,8 +1371,6 @@ def malicious_ssl(self, twid, flow, ssl_info_from_db: str) -> None:
             timewindow=TimeWindow(number=int(twid.replace("timewindow", ""))),
             uid=[flow.uid],
             timestamp=flow.starttime,
-            src_port=flow.sport,
-            dst_port=flow.dport,
         )
 
         self.db.set_evidence(evidence)

modules/flowalerts/ssl.py

@@ -82,7 +82,7 @@ def detect_malicious_ja3(self, twid, flow):
             self.set_evidence.malicious_ja3(twid, flow, malicious_ja3_dict)
 
         if flow.ja3s in malicious_ja3_dict:
-            self.set_evidence.malicious_ja3s(twid, flow)
+            self.set_evidence.malicious_ja3s(twid, flow, malicious_ja3_dict)
 
     def detect_incompatible_cn(self, profileid, twid, flow):
         """

modules/http_analyzer/http_analyzer.py

@@ -196,7 +196,9 @@ def check_multiple_empty_connections(self, twid: str, flow):
         self.connections_counter[host] = ([], 0)
         return True
 
-    def set_evidence_incompatible_user_agent(self, twid, flow, user_agent):
+    def set_evidence_incompatible_user_agent(
+        self, twid, flow, user_agent, vendor
+    ):
 
         os_type: str = user_agent.get("os_type", "").lower()
         os_name: str = user_agent.get("os_name", "").lower()
@@ -207,7 +209,7 @@ def set_evidence_incompatible_user_agent(self, twid, flow, user_agent):
             f"that belongs to OS: {os_name} "
             f"type: {os_type} browser: {browser}. "
             f"while connecting to {flow.host}{flow.uri}. "
-            f"IP has MAC vendor: {flow.vendor.capitalize()}"
+            f"IP has MAC vendor: {vendor.capitalize()}"
         )
 
         evidence: Evidence = Evidence(
@@ -298,7 +300,9 @@ def check_incompatible_user_agent(self, profileid, twid, flow):
         browser = user_agent.get("browser", "").lower()
         # user_agent = user_agent.get('user_agent', '')
         if "safari" in browser and "apple" not in vendor:
-            self.set_evidence_incompatible_user_agent(twid, flow, user_agent)
+            self.set_evidence_incompatible_user_agent(
+                twid, flow, user_agent, vendor
+            )
             return True
 
         # make sure all of them are lowercase
@@ -340,7 +344,7 @@ def check_incompatible_user_agent(self, profileid, twid, flow):
                     # [('microsoft', 'windows', 'NT'), ('android'), ('linux')]
                     # is found in the UA that belongs to an apple device
                     self.set_evidence_incompatible_user_agent(
-                        twid, flow, user_agent
+                        twid, flow, user_agent, vendor
                     )
                     return True
 

modules/ip_info/asn_info.py

@@ -11,6 +11,9 @@
 class ASN:
     def __init__(self, db=None):
         self.db = db
+        # update asn every 1 month
+        self.update_period = 2592000
+
         # Open the maxminddb ASN offline db
         try:
             self.asn_db = maxminddb.open_database(
@@ -51,7 +54,7 @@ def get_cached_asn(self, ip):
                     asn_info["asn"].update({"number": range_info["number"]})
                 return asn_info
 
-    def update_asn(self, cached_data, update_period) -> bool:
+    def should_update_asn(self, cached_data) -> bool:
         """
         Returns True if
         - no asn data is found in the db OR ip has no cached info
@@ -61,10 +64,10 @@ def update_asn(self, cached_data, update_period) -> bool:
         try:
             return (
                 time.time() - cached_data["asn"]["timestamp"]
-            ) > update_period
+            ) > self.update_period
         except (KeyError, TypeError):
-            # no there's no cached asn info,or no timestamp, or cached_data is None
-            # we should update
+            # no there's no cached asn info,or no timestamp, or
+            # cached_data is None. we should update
             return True
 
     def get_asn_info_from_geolite(self, ip) -> dict: