Slips v1.1.16

.github/ISSUE_TEMPLATE/bug_report.md

@@ -10,6 +10,11 @@ assignees: ''
 **Describe the bug**
 A clear and concise description of what the bug is.
 
+
+**Used Slips command**
+
+The used Slips command that trigged this bug.
+
 **To Reproduce**
 Steps to reproduce the behavior:
 1. Go to branch  '...'

.gitmodules

@@ -14,3 +14,7 @@
 	path = feel_project
 	url = https://github.com/stratosphereips/feel_project
     branch = main
+
+[submodule "SlipsWeb"]
+	path = SlipsWeb
+	url = https://github.com/stratosphereips/SlipsWeb.git

CHANGELOG.md

@@ -1,3 +1,14 @@
+1.1.16 (Dec 1st, 2025)
+- Fix problem reporting evidence when Slips is monitoring one interface
+- Change the usage of -g option, now Slips requires the interface name to monitor when using -g.
+- Fix P2P unable to connect to the redis database when using -m.
+- Fix false positive setting evidence on connection to IP outside local network when the IP is multicast.
+- Evidence handler and whitelist speedup by using bloom filters.
+- Drop support for the dynamic reloading of whitelists
+- Add an alerts visualiser web interface for TAXII servers.
+- Handle Slips and iptables failovers when running Slips as an access point in the Raspberry Pi.
+
+
 1.1.15 (Oct 31st, 2025)
 - Fix FP connection to port 0 for IGMP flows.
 - Support monitoring two interfaces when Slips is running as an access point.

README.md

@@ -1,5 +1,5 @@
 <h1 align="center">
-Slips v1.1.15
+Slips v1.1.16
 </h1>
 
 

VERSION

@@ -1 +1 @@
-1.1.15
+1.1.16

config/slips.yaml

@@ -347,7 +347,7 @@ exporting_alerts:
 
   # Configuer all the methods Slips will export data with
   # Available options are slack or stix
-  # export_to : [stix]
+  # export_to : [stix] (And a TAXII server)
   # export_to : [slack]
   export_to: []
 
@@ -373,12 +373,11 @@ exporting_alerts:
   # For Stix, if Slips should use TLS
   use_https: false
 
-  # TAXII
-  discovery_path: /services/discovery-a
-  inbox_path: /services/inbox-a
+  # TAXII 2 discovery endpoint (relative path or full URL)
+  discovery_path: /taxii2/
 
-  # Collection on the server you want to push stix data to
-  collection_name: collection-a
+  # Collection (ID or title) on the server you want to push STIX data to
+  collection_name: Alerts
 
   # This value is only used when Slips is running non-stop (e.g with -i )
   # push_delay is the time to wait before pushing STIX data to server
@@ -390,13 +389,7 @@ exporting_alerts:
 
   # TAXII server credentials
   taxii_username: admin
-  taxii_password: admin
-
-  # URL used to obtain JWT token. set this to '' if you don't want to use it
-  # is required for JWT based authentication.
-  # (JWT based authentication is Optional)
-  # It's usually /management/auth
-  jwt_auth_path: /management/auth
+  taxii_password: changeme_before_installing_a_medallion_server
 
 #############################
 CESNET:

config/whitelist.conf

@@ -162,3 +162,4 @@ organization,google,both,alerts
 organization,apple,both,alerts
 organization,twitter,both,alerts
 domain,markmonitor.com,both,alerts
+domain,whois.nic.co,both,alerts

docker/Dockerfile

@@ -29,54 +29,43 @@ ENV NVM_DIR=/root/.nvm
 # use bash instead of sh
 SHELL ["/bin/bash", "-c"]
 
+# Switch to Slips installation dir on login.
+WORKDIR ${SLIPS_DIR}
+
+COPY . $SLIPS_DIR
 
-RUN apt update && apt install -y --no-install-recommends \
-    wget \
-    ca-certificates \
-    git \
-    curl \
-    gnupg \
+RUN apt-get update -o Acquire::Retries=5 -o Acquire::https::No-Cache=True \
+    && apt-get install -y --no-install-recommends --fix-broken --fix-missing \
+    $(cat install/apt_dependencies.txt) \
     lsb-release \
     software-properties-common \
-    build-essential \
-    file \
-    lsof \
-    iptables \
-    iproute2 \
-    nfdump \
-    tshark \
-    whois \
-    yara \
-    net-tools \
     vim \
     less \
     unzip \
-    golang \
-    python3-certifi \
-    python3-dev \
-    python3-tzlocal \
-    python3-pip \
     nano \
     tree \
     tmux \
-    arp-scan \
     && echo 'deb http://download.opensuse.org/repositories/security:/zeek/xUbuntu_22.04/ /' |  tee /etc/apt/sources.list.d/security:zeek.list \
     && curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key | gpg --dearmor |  tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null \
     && apt update \
-    && apt install -y --no-install-recommends --fix-missing \
-    zeek \
+    && apt-get install -y --no-install-recommends --fix-missing \
+    zeek-8.0 \
     npm \
     && ln -s /opt/zeek/bin/zeek /usr/local/bin/bro \
     && apt clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
     && curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.7/install.sh | bash - \
     && export NVM_DIR="$HOME/.nvm" \
     && [ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"  \
-    && nvm install 22
+    && nvm install 22 \
+    && apt purge -y  redis-server redis # we'll be compiling it manually
+
+
 
 # why are we compiling redis instead od just using apt?
 # to support running slips on the rpi (arm64). the rpi uses jemmalloc by default, which expects a different page size
 # than the default on x86_64
+WORKDIR /
 RUN pip3 install --no-cache-dir --upgrade pip \
     && curl -O https://download.redis.io/redis-stable.tar.gz \
     && tar xzf redis-stable.tar.gz \
@@ -87,11 +76,9 @@ RUN pip3 install --no-cache-dir --upgrade pip \
 ENV PATH="$PATH:/redis-stable/src"
 
 
-# Switch to Slips installation dir on login.
-WORKDIR ${SLIPS_DIR}
 
-COPY . $SLIPS_DIR
 
+WORKDIR ${SLIPS_DIR}
 # Retrieve Iris
 COPY --from=build /iris/iris ./modules/irisModule
 
@@ -110,4 +97,5 @@ ENV PATH="$PATH:/StratosphereLinuxIPS/p2p4slips/"
 
 WORKDIR ${SLIPS_DIR}
 
+
 CMD /bin/bash

docker/light/Dockerfile

@@ -27,7 +27,7 @@ RUN set -eux; \
         | tee /etc/apt/sources.list.d/security:zeek.list \
     && curl -fsSL https://download.opensuse.org/repositories/security:zeek/xUbuntu_22.04/Release.key \
         | gpg --dearmor | tee /etc/apt/trusted.gpg.d/security_zeek.gpg > /dev/null \
-    && apt-get update && apt-get install -y --no-install-recommends --fix-missing zeek \
+    && apt-get update && apt-get install -y --no-install-recommends --fix-missing zeek-8.0  \
     && ln -s /opt/zeek/bin/zeek /usr/local/bin/bro \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*

docker/light/excluded_libs.txt

@@ -16,7 +16,6 @@ scikit_learn
 slackclient
 matplotlib
 stix2
-cabby
 pandas
 setuptools
 numpy

docs/exporting.md

@@ -40,46 +40,44 @@ You can do this by going to the channel, then clicking on the channel's name. Th
 
 ## STIX
 
-If you want to export alerts to your TAXII server using STIX format, change ```export_to``` variable to export to STIX, and Slips will automatically generate a
-```STIX_data.json``` containing all alerts it detects.
+If you want to export alerts to your TAXII 2 server using STIX 2.1 format,
+set ```export_to``` to ```stix``` and Slips will automatically generate a
+```STIX_data.json``` bundle containing the indicators it detects and push it to
+your collection.
 
 
     [ExportingAlerts]
     export_to = [stix]
 
 
-You can add your TAXII server details in the following variables:
+Configure the TAXII client by editing the following variables:
 
-```TAXII_server```: link to your TAXII server
+```TAXII_server```: host name or IP address of the TAXII server.
 
-```port```: port to be used
+```port```: TCP port (optional, defaults to 80/443).
 
-```use_https```: use https or not.
+```use_https```: set to true to connect over HTTPS (be careful that the default TAXII server in SlipsWeb, Medallion, do not support HTTPS yet)
 
-```discovery_path``` and ```inbox_path``` should contain URIs not full urls. For example:
+```discovery_path```: TAXII discovery endpoint path or full URL
+ (for example ```/taxii2/```).
 
-```python
-discovery_path = /services/discovery-a
-inbox_path = /services/inbox-a
-```
-
-```collection_name```: the collection on the server you want to push your STIX data to.
-
-```push_delay```: the time to wait before pushing STIX data to server (in seconds).
-It is used when slips is running non-stop (e.g with -i )
+```collection_name```: ID or title of the TAXII collection that should receive your indicators. Be default `Alerts`.
 
-```taxii_username```: TAXII server user credentials
+```push_delay```: time between automatic pushes (in seconds) when Slips is
+running continuously.
 
-```taxii_password```: TAXII server user password
+```taxii_username``` / ```taxii_password```: credentials used for HTTP Basic authentication.
 
-```jwt_auth_path```: auth path if JWT based authentication is used. It's usually /management/auth. this is what we
-use to get a token.
+**Change the default config password of the TAXII servers you are going to export to in ```config/medallion_config.yaml```**
 
 
-if your TAXII server is a remote server, you can set the ```port``` to 443 or 80.
+Slips stores the generated bundle for each run in the output directory of that
+execution (for example `output/<run_id>/STIX_data.json`), so you can inspect the
+exact STIX objects that were pushed.
 
-If running on a file, Slips will export to server after analysis is done.
-If running on an interface, Slips will export to server every push_delay seconds. by default it's 1h.
+If running on a file, Slips will export once before shutdown.
+If running on an interface, Slips will export to the server every
+```push_delay``` seconds (default 1 hour).
 
 ## JSON format
 

docs/immune/Immune.md

@@ -10,7 +10,9 @@ This is the main guide to the documentation related to the changes done to Slips
 - [LLM Research and Selection](https://stratospherelinuxips.readthedocs.io/en/develop/immune/research_and_selection_of_llm_candidates.html)
 - [LLM RPI Performance](https://stratospherelinuxips.readthedocs.io/en/develop/immune/research_rpi_llm_performance.html)
 - [LLM RPI Finetuning Frameworks](https://stratospherelinuxips.readthedocs.io/en/develop/immune/finetuning_frameworks_rpi_5.html)
+- [LLM Summarization Dataset](https://stratospherelinuxips.readthedocs.io/en/develop/immune/summary_dataset.html)
 - [ARP Poisoning](https://stratospherelinuxips.readthedocs.io/en/develop/immune/arp_poisoning.html)
 - [ARP Poisoning Risks](https://stratospherelinuxips.readthedocs.io/en/develop/immune/arp_poisoning_risks.html)
 - [Blocking with Slips as an Access Point](https://stratospherelinuxips.readthedocs.io/en/develop/immune/blocking_in_slips.html)
 - [IDS-in-the-middle Traffic routing](https://stratospherelinuxips.readthedocs.io/en/develop/immune/ids_in_the_middle_traffic_routing.html)
+- [RPI Failover Mechanisms](https://stratospherelinuxips.readthedocs.io/en/develop/immune/failover_mechanisms.html)

docs/immune/failover_mechanisms.md

@@ -0,0 +1,101 @@
+# Failover Mechanisms
+
+The project has a few failure points listed below that we explicitly want to control instead and try to recover from.
+
+Our goal if something breaks, is to try to recover automatically where possible, but if recovery is not possible or the failure is critical, the user must lose internet so they are forced to debug and restart Slips manually instead of staying connected without Slips protection.
+
+
+All failure points are handled by the ```failover_handler.sh``` script located in ```StratosphereLinuxIPS/rpi_scripts/```.
+
+## Prerequisites
+
+- Raspberry Pi with docker installed
+- StratosphereLinuxIPS cloned. (or just the rpi_scripts/ directory)
+- Root access to the Raspberry Pi.
+- A [running access point](https://stratospherelinuxips.readthedocs.io/en/develop/immune/installing_slips_in_the_rpi.html#protect-your-local-network-with-slips-on-the-rpi).
+
+
+## How to use
+
+Run the following command from Slips main directory as root:
+
+```bash
+sudo  ./rpi_scripts/failover_handler.sh <wifi_interface>,<ethernet_interface>
+```
+
+**Where**
+
+- ```<wifi_interface>``` is the name of the wifi interface used by the access point (e.g. ```wlan0```, etc).
+
+- ```<ethernet_interface>``` is the name of the ethernet interface connected to the router (e.g. ```eth0```, etc).
+
+**You should see output similar to the image below:**
+
+![](../images/immune/a8/failovers_script_output.jpg)
+
+
+**Output:**
+
+The script will
+- Log Slips docker container status, used command, and any errors to ```slips_container.log``` for debugging purposes. This file should be checked in case you notice any issues with the AP or Slips.
+- Start Slips and iptables watcher services through systemd so they start automatically on reboot and on failure.
+- Start slips inside a docker container monitring your ethernet and wifi interfaces.
+- Mount your local ```StratosphereLinuxIPS/output``` to ```/StratosphereLinuxIPS/output``` inside the started Slips container so any output generated by Slips will be available on the host machine.
+
+
+
+## How Failovers are Handled
+
+Slips in the Raspberry Pi has 3 main failure points that we want to handle:
+1. The access point dies
+2. Slips dies
+3. The Raspberry Pi reboots
+
+### The access point dies
+
+If the AP dies, clients get disconnected. There's nothing to handle here. Slips keeps monitoring the ethernet interface and when the AP is back up, clients can reconnect and Slips continues protecting them.
+
+
+### Slips dies
+
+Failovers when Slips dies consist of:
+
+* **Iptables firewall rules persistence**: The iptables firewall rules are saved periodically by the systemd unit that watches for iptables changes and saves them using ```netfilter-persistent``` whenever a change is detected.
+* **Shutting down the AP process**: If Slips crashes we do not want the AP to keep running without Slips protection so we intentionally shut down the access point for the user to notice, debug and restart Slips manually instead of staying connected without Slips protection.
+* **Restarting Slips automatically through systemd:** Slips restarts automatically through systemd on failure and on reboot.
+* **Logging Slips container status to a file for debugging**: Slips container logs are places in ```slips_container.log``` for debugging purposes.
+
+
+
+### The Raspberry Pi reboots
+
+Failovers consist of:
+
+* **Iptables firewall rules persistence**
+* **Automatic start of Slips service through systemd**
+
+
+When the Pi reboots, we want Slips to start automatically, and we want the iptables rules added by Slips to persist. The automatic restart is handled by systemd through the generated ```slips.service``` file, and firewall persistence is handled using the custom iptables watcher through the generated ```iptables-watcher.service```.
+
+
+Both units are generated and started and added to the user's ```/etc/systemd/system``` by the ```failover_handler.sh``` script.
+
+---
+
+## File Descriptions
+
+All the files involved in failover mechanisms are placed in ```StratosphereLinuxIPS/rpi_scripts/``` and are described in the table below:
+
+
+| File                                      | What it does                                                                                                                                                                                                                                                                                                                                  |
+|-------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| failover_handler.sh                       | The central orchestrator that checks AP status, ensures root access, prepares directories, sets up iptables persistence, builds the Slips runner script, generates the systemd unit, and enforces all failover behavior. This is the piece that links every component together and decides how the system should react when something breaks. |
+| iptables_autosave/check-iptables-hash.sh  | Keeps track of the hash of the current iptables rules and triggers a save when change is detected.                                                                                                                                                                                                                                            |
+| iptables_autosave/iptables-watcher.service | The systemd service that runs check-iptables-hash.sh (because we can't run the script directly by the timer), this is triggered by the iptables-watcher.timer every 10s to check for iptables changes.                                                                                                                                        |
+| iptables_autosave/iptables-watcher.timer  | A systemd timer that periodically runs iptables-watcher.service so iptables rule changes are captured and saved automatically.                                                                                                                                                                                                                |
+| slips_container.log                        | A runtime log collecting Docker container output, commands, and status. useful for investigating restarts, failures, or unexpected behavior.                                                                                                                                                                                                  |
+| slips-runner-template.sh                   | The script that launches Slips container and launches slips inside of it in a tmux. This runner keeps the container up as long as Slips is running.                                                                                                                                                                                           |
+| slips.service.template                     | The systemd unit that starts slips on reboot and on failure, it runs the slips-runner-template.sh.                                                                                                                                                                                                                                            |
+
+
+---