Architecture

The architecture of Slips is basically: - To receive some data as input - To process it to a common format - To enrich it (gather all possible info about the IPs/MAC/User-Agents etc.) - To apply detection modules - To output results

Slips is heavily based on the Zeek monitoring tool as input tool for packets from the interface and pcap file, due to its excelent recognition of protocols and easiness to identify the content of the traffic.

Figure 1 shows how the data is analyzed by Slips. As we can see, Slips internally uses Zeek, an open source network security monitoring tool. Slips divides flows into profiles and each profile into a timewindows. Slips runs detection modules on each flow and stores all evidence, alerts and features in an appropriate profile structure. All profile info, performed detections, profiles and timewindows’ data, is stored inside a Redis database. All flows are read, interpreted by Slips, labeled, and stored in the SQLite database in the output/ dir of each run The output of Slips is a folder with logs (output/ directory) that has alert.json, alerts.log, errors.log. Kalipso, a terminal graphical user interface. or the Web interface.

Figure 1. The analysis of the network traffic by Slips. Its input, internal structure and output.

Below is more explanation on internal representation of data, usage of Zeek and usage of Redis inside Slips.

Internal representation of data.

Slips works at a flow level, instead of a packet level, gaining a high level view of behaviors. Slips creates traffic profiles for each IP that appears in the traffic. A profile contains the complete behavior of an IP address. Each profile is divided into time windows. Each time window is 1 hour long by default and contains dozens of features computed for all connections that start in that time window. Detections are done in each time window, allowing the profile to be marked as uninfected in the next time window.

This is what slips stores for each IP/Profile it creates:

  • Ipv4 - ipv4 of this profile

  • IPv6 - list of ipv6 used by this profile

  • Threat_level - the threat level of this profile, updated every TW.

  • Confidence - how confident slips is that the threat level is correct

  • Past threat levels - history of past threat levels

  • Used software - list of software used by this profile, for example SSH, Browser, etc.

  • MAC and MAC Vendor - Ether MAC of the IP and the name of the vendor

  • Host-name - the name of the IP

  • first User-agent - First UA seen use dby this profile.

  • OS Type - Type of OS used by this profile as extracted from the user agent

  • OS Name - Name of OS used by this profile as extracted from the user agent

  • Browser - Name of the browser used by this profile as extracted from the user agent

  • User-agents history - history of the all user agents used by this profile

  • DHCP - if the IP is a dhcp or not

  • Starttime - epoch formatted timestamp of when the profile first appeared

  • Duration - the standard duration of every TW in this profile

  • Modules labels - the labels assigned to this profile by each module

  • Gateway - if the IP is the gateway (router) of the network

  • Timewindow count - Amount of timewindows in this profile

  • ASN - autonomous service number of the IP

  • Asnorg - name of the org that own the ASN of this IP

  • ASN Number

  • SNI - Server name indicator

  • Reverse DNS - name of the IP in reverse dns

  • Threat Intelligence - If the IP appeared in any of Slips blacklist

  • Description - Description of this IP as taken from the blacklist

  • Blacklist Threat level - threat level of the blacklisted that has this IP

  • Passive DNS - All the domains that resolved into this IP

  • Certificates - All the certificates that were used by this IP

  • Geocountry - Country of this IP

  • VirusTotal - contains virustotal scores of this IP

    • Down_file: files in virustotal downloaded from this IP

    • Ref_file: files in VT that referenced this IP

    • Com_file : files in VT communicating with this IP

    • Url ratio: The higher the score the more malicious this IP is

Alerts vs Evidence

When running Slips, the alerts you see in red in the CLI or at the very bottom in kalispo, are a bunch of evidence. Evidence in slips are detections caused by a specific IP in a specific timeframe. Slips doesn’t alert on every evidence/detection. it accumulates evidence and only generates and alert when the amount of gathered evidence crosses a threshold. After this threshold Slips generates an alert, marks the timewindow as malicious(displays it in red in kalipso) and blocks the IP causing the alert.

Usage of Zeek.

Slips uses Zeek to generate files for most input types, and this data is used to create the profiles. For example, Slips uses this data to create a visual timeline of activities for each time window. This timeline consists of Zeek generated flows and additional interpretation from other logs like dns log and http log.

Usage of Redis database.

All the data inside Slips is stored in Redis, an in-memory data structure. Redis allows all the modules in Slips to access the data in parallel. Apart from read and write operations, Slips takes advantage of the Redis messaging system called Redis PUB/SUB. Processes may publish data into the channels, while others subscribe to these channels and process the new data when it is published.

Usage of SQLite database.

Slips uses SQLite database to store all flows in Slips interpreted format. The SQLite database is stored in the output/ dir and each flow is labeled to either ‘malicious’ or ‘benign’ based on slips detections. all the labeled flows in the SQLite database can be exported to tsv or json format.

Threat Levels

Slips has 4 threat levels.

Threat Level Description Example
Info Information, Do nothing SSH login
Low Interesting activity to consider DNS without connection
Medium Suspicious activity that shouldn't happen PING Sweep
High Malicious activity Password guessing
Critical Critical for your security, results in a direct block Malicious downloaded Files