Implement IDS-in-the-middle traffic routing over both Ethernet and WiFi connections; Support monitoring 2 interfaces.

.pre-commit-config.yaml

@@ -41,7 +41,7 @@ repos:
       rev: v1.35.1
       hooks:
         - id: yamllint
-          args: ["-d", "{rules: {line-length: {max: 100}}}"]
+          args: ["-d", "{rules: {line-length: {max: 160}}}"]
           files: "slips.yaml"
 
 - repo: local

conftest.py

@@ -71,23 +71,24 @@ def profiler_queue():
 def flow():
     """returns a dummy flow for testing"""
     return Conn(
-        "1601998398.945854",
-        "1234",
-        "192.168.1.1",
-        "8.8.8.8",
-        5,
-        "TCP",
-        "dhcp",
-        80,
-        88,
-        20,
-        20,
-        20,
-        20,
-        "",
-        "",
-        "Established",
-        "",
+        starttime="1601998398.945854",
+        uid="1234",
+        saddr="192.168.1.1",
+        daddr="8.8.8.8",
+        dur=5,
+        proto="TCP",
+        appproto="dhcp",
+        sport=80,
+        dport=88,
+        spkts=20,
+        dpkts=20,
+        sbytes=20,
+        dbytes=20,
+        state="Established",
+        history="",
+        smac="",
+        dmac="",
+        interface="eth0",
     )
 
 

docs/immune/installing_slips_in_the_rpi.md

@@ -33,11 +33,12 @@ Meaning it wil kick out the malicious device from the AP.
 
 
 1. Connect your RPI to your router using an ethernet cable
-2. Run your RPI as an access point using [create_ap](https://github.com/oblique/create_ap)
+2. Install [linux-wifi-hotspot](https://github.com/lakinduakash/linux-wifi-hotspot/blob/master/src/scripts/README.md)
+3. Start the access point (in NAT mode)
 
-`sudo create_ap wlan0 eth0 rpi_wifi mysecurepassword -c 40`
+  `sudo create_ap wlan0 eth0 rpi_wifi mysecurepassword -c 40`
 
-where `wlan0` is the wifi interface of your RPI, `eth0` is the ethernet interface and `-c 40` is the channel of the access point.
+where `wlan0` is the wifi interface of your RPI, `eth0`  is the ethernet interface and `-c 40` is the channel of the access point.
 
 We chose channel 40 because it is a 5GHz channel, which is faster and less crowded than the 2.4GHz channels.
 
@@ -49,13 +50,13 @@ If all goes well you should see `wlan0: AP-ENABLED` in the output of the command
 
 Check the [Debugging common AP errors](#debugging-common-ap-errors) section if you have any issues.
 
-3. Run Slips in the RPI using the command below to listen to the traffic from the access point.
+4. Run Slips in the RPI using the command below to listen to the traffic from the access point.
 
 ```bash
 ./slips.py -i wlan0
 ```
 
-4. (Optional) If you want to block malicious devices, run Slips with the `-p` parameter. Using this parameter will
+5. (Optional) If you want to block malicious devices, run Slips with the `-p` parameter. Using this parameter will
 block all traffic to and from the malicious device when slips sets an alert.
 
 ```bash

docs/installation.md

@@ -343,9 +343,10 @@ Meaning it wil kick out the malicious device from the AP.
 
 
 1. Connect your RPI to your router using an ethernet cable
-2. Run your RPI as an access point using [create_ap](https://github.com/oblique/create_ap)
+2. Install [linux-wifi-hotspot](https://github.com/lakinduakash/linux-wifi-hotspot/blob/master/src/scripts/README.md)
+3. Start the access point (in NAT mode)
 
-`sudo create_ap wlan0 eth0 rpi_wifi mysecurepassword -c 40`
+  `sudo create_ap wlan0 eth0 rpi_wifi mysecurepassword -c 40`
 
 where `wlan0` is the wifi interface of your RPI, `eth0` is the ethernet interface and `-c 40` is the channel of the access point.
 
@@ -360,13 +361,13 @@ Check the [Debugging common AP errors](https://stratospherelinuxips.readthedocs.
 
 
 
-3. Run Slips in the RPI using the command below to listen to the traffic from the access point.
+4. Run Slips in the RPI using the command below to listen to the traffic from the access point.
 
 ```bash
 ./slips.py -i wlan0
 ```
 
-4. (Optional) If you want to block malicious devices, run Slips with the `-p` parameter. Using this parameter will
+5. (Optional) If you want to block malicious devices, run Slips with the `-p` parameter. Using this parameter will
 block all traffic to and from the malicious device when slips sets an alert.
 
 ```bash

install/apt_dependencies.txt

@@ -28,3 +28,4 @@ ca-certificates
 redis
 wget
 npm
+iw

managers/ap_manager.py

@@ -0,0 +1,39 @@
+import subprocess
+
+
+class APManager:
+    """
+    Gets AP info when slips is running as an AP in the RPI
+    https://stratospherelinuxips.readthedocs.io/en/develop/immune/installing_slips_in_the_rpi.html#protect-your-local-network-with-slips-on-the-rpi
+    """
+
+    def __init__(self, main):
+        self.main = main
+
+    def store_ap_interfaces(self, input_information):
+        """
+        stores the interfaces given with -ap to slips in the db
+        """
+        self.wifi_interface, self.eth_interface = input_information.split(",")
+        interfaces = {
+            "wifi_interface": self.wifi_interface,
+            "ethernet_interface": self.eth_interface,
+        }
+        self.main.db.set_ap_info(interfaces)
+
+    def is_ap_running(self):
+        """returns true if a running AP is detected"""
+        command = ["iw", "dev"]
+        try:
+            result = subprocess.run(
+                command, capture_output=True, text=True, check=True
+            )
+            lines = result.stdout.splitlines()
+            for line in lines:
+                if "type AP" in line:
+                    return True
+            return False
+        except subprocess.CalledProcessError:
+            return False
+        except FileNotFoundError:
+            return False

managers/host_ip_manager.py

@@ -4,35 +4,63 @@
 import netifaces
 from typing import (
     Set,
-    Optional,
     List,
+    Dict,
 )
 
+from slips_files.common.slips_utils import utils
 from slips_files.common.style import green
 
 
 class HostIPManager:
     def __init__(self, main):
         self.main = main
+        self.info_printed = False
 
-    def get_host_ip(self) -> Optional[str]:
+    def _get_default_host_ip(self, interface) -> str | None:
+        """
+        Return the host IP of the default interface (IPv4).
+        usefull when slips is running using -g and the user didn't supply
+        an interface, so we need to infer it
+        """
+        try:
+            # Get the default gateway info (usually includes interface name)
+            addrs = netifaces.ifaddresses(interface)
+            # AF_INET is for IPv4 addresses
+            inet_info = addrs.get(netifaces.AF_INET)
+            if not inet_info:
+                return None
+
+            return inet_info[0]["addr"]
+        except Exception as e:
+            print(f"Error getting host IP: {e}")
+            return None
+
+    def _get_host_ips(self) -> Dict[str, str]:
         """
         tries to determine the machine's IP.
-        uses the intrfaces provided by the user if -i is given, or all
-        interfaces if not.
+        uses the intrfaces provided by the user with -i or -ap
+        returns a dict with {interface_name: host_ip, ..}
         """
-        if not (self.main.args.interface or self.main.args.growing):
-            # slips is running on a file, we cant determine the host IP
-            return
+        if self.main.args.growing:
+            # -g is used, user didn't supply the interface
+            # try to get the default interface
+            interface = utils.infer_used_interface()
+            if not interface:
+                return {}
+
+            if default_host_ip := self._get_default_host_ip(interface):
+                return {interface: default_host_ip}
+            return {}
 
         # we use all interfaces when -g is used, otherwise we use the given
         # interface
         interfaces: List[str] = (
             [self.main.args.interface]
             if self.main.args.interface
-            else netifaces.interfaces()
+            else self.main.args.access_point.split(",")
         )
-
+        found_ips = {}
         for iface in interfaces:
             addrs = netifaces.ifaddresses(iface)
             # check for IPv4 address
@@ -41,9 +69,10 @@ def get_host_ip(self) -> Optional[str]:
             for addr in addrs[netifaces.AF_INET]:
                 ip = addr.get("addr")
                 if ip and not ip.startswith("127."):
-                    return ip
+                    found_ips[iface] = ip
+        return found_ips
 
-    def store_host_ip(self) -> Optional[str]:
+    def store_host_ip(self) -> Dict[str, str] | None:
         """
         stores the host ip in the db
         recursively retries to get the host IP online every 10s if not
@@ -52,33 +81,43 @@ def store_host_ip(self) -> Optional[str]:
         if not self.main.db.is_running_non_stop():
             return
 
-        if host_ip := self.get_host_ip():
-            self.main.db.set_host_ip(host_ip)
-            self.main.print(f"Detected host IP: {green(host_ip)}")
-            return host_ip
+        if host_ips := self._get_host_ips():
+            for iface, ip in host_ips.items():
+                self.main.db.set_host_ip(ip, iface)
+                if not self.info_printed:
+                    self.main.print(
+                        f"Detected host IP: {green(ip)} for {green(iface)}"
+                    )
+            self.info_printed = True
+
+            return host_ips
 
         self.main.print("Not Connected to the internet. Reconnecting in 10s.")
         time.sleep(10)
         self.store_host_ip()
 
     def update_host_ip(
-        self, host_ip: str, modified_profiles: Set[str]
-    ) -> Optional[str]:
+        self, host_ips: Dict[str, str], modified_profiles: Set[str]
+    ) -> Dict[str, str]:
         """
         Is called every 5s for slips to update the host ip
         when running on an interface we keep track of the host IP.
         If there was no modified TWs in the host IP, we check if the
         network was changed.
         :param modified_profiles: modified profiles since slips start time
+        :param host_ips: a dict with {interface: host_ip,..} for each
+        interface slips is monitoring
         """
         if not self.main.db.is_running_non_stop():
             return
 
-        if host_ip in modified_profiles:
-            return host_ip
-
-        if latest_host_ip := self.get_host_ip():
-            self.main.db.set_host_ip(latest_host_ip)
-            return latest_host_ip
+        if host_ips:
+            res = {}
+            for iface, ip in host_ips.items():
+                if ip in modified_profiles:
+                    res[iface] = ip
+            if res:
+                return res
 
-        return latest_host_ip
+        # there was no modified TWs in the host IPs, check if network changed
+        return self.store_host_ip()

managers/process_manager.py

@@ -629,7 +629,7 @@ def should_run_non_stop(self) -> bool:
         return (
             self.is_debugger_active()
             or self.main.input_type in ("stdin", "cyst")
-            or self.main.is_interface
+            or self.main.db.is_running_non_stop()
         )
 
     def shutdown_interactive(

modules/arp/arp.py

@@ -166,7 +166,7 @@ def get_uids():
         # node to announce or update its IP to MAC mapping
         # to the entire network. It shouldn't be marked as an arp scan
         # Don't detect arp scan from the GW router
-        if self.db.get_gateway_ip() == flow.saddr:
+        if self.db.get_gateway_ip(flow.interface) == flow.saddr:
             return False
 
         # What is this?
@@ -417,8 +417,8 @@ def detect_mitm_arp_attack(self, twid: str, flow):
             attackers_ip = flow.saddr
             victims_ip = original_ip
 
-            gateway_ip = self.db.get_gateway_ip()
-            gateway_mac = self.db.get_gateway_mac()
+            gateway_ip = self.db.get_gateway_ip(flow.interface)
+            gateway_mac = self.db.get_gateway_mac(flow.interface)
             if flow.saddr == gateway_ip:
                 saddr = f"The gateway {flow.saddr}"
             else:

modules/arp/filter.py

@@ -28,7 +28,7 @@ def should_discard_evidence(self, ip: str) -> bool:
 
     def is_self_defense(self, ip: str):
         """
-        slips uses arp poison to defend itself and th enetwork,
+        slips uses arp poison to defend itself and the network,
         check arp_poison.py for more details.
         goal of this function is to discard evidence about slips doing arp
         attacks when it's just attacking attackers