The tool is available on GitHub here.

Slips is a Python-based intrusion prevention system that uses machine learning to detect malicious behaviors in the network traffic. Slips was designed to focus on targeted attacks, to detect of command and control channelsi, and to provide good visualisation for the analyst. Slips is able to analyze real live traffic from the device and the large network captures in the type of a pcap files, Suricata, Zeek/Bro and Argus flows. As a result, Slips highlights suspicious behaviour and connections that needs to be deeper analyzed.

This documentation gives an overview how Slips works, how to use it and how to help. To be specific, that table of contents goes as follows:

  • Installation. Instructions to install Slips in a Docker and in a computer. See Installation.

  • Usage. Instructions and examples how to run Slips with different type of files and analyze the traffic using Slips and its GUI Kalipso. See Usage.

  • Detection modules. Explanation of detection modules in Slips, types of input and output. See Detection modules.

  • Architecture. Internal architecture of Slips (profiles, timewindows), the use of Zeek and connection to Redis. See Architecture.

  • Training with your own data. Explanation on how to re-train the machine learning system of Slips with your own traffic (normal or malicious).See Training.

  • Detections per Flow. Explanation on how Slips works to make detections on each flow with different techniques. See Flow Alerts.

  • Exporting. The exporting module allows Slips to export to Slack and STIX servers. See Exporting.

  • Slips in Action. Example of using slips to analyze different PCAPs See Slips in action.

  • Contributing. Explanation how to contribute to Slips, and instructions how to implement new detection module in Slips. See Contributing.

  • Create a new module. Step by step guide on how to create a new Slips module See Create a new module.

  • Code documentation. Auto generated slips code documentation See Code docs.