Skip to content

Releases: stratosphereips/StratosphereLinuxIPS


14 Jun 11:49
Choose a tag to compare
  • Add a Parameter to export strato letters to re-train the RNN model.
  • Better organization of flowalerts module by splitting it into many specialized files.
  • Better unit tests. thanks to @Sekhar-Kumar-Dash
  • Disable "Connection without DNS resolution" evidence to DNS servers.
  • Fix displaying "Failed" as the protocol name in the web interface when reading Suricata flows.
  • Fix problem reversing source and destination addresses in JA3 evidence description.
  • Improve CI by using more parallelization.
  • Improve non-SSL and non-HTTP detections by making sure that the sum of bytes sent and received is zero.
  • Improve RNN evidence description, now it's more clear which IP is the botnet, and which is the C&C server.
  • Improve some threat levels of evidence to reduce false positives.
  • Improve whitelists. Better matching, more domains added, reduced false positives.
  • More minimal Slips notifications, now Slips displays the alert description instead of all evidence in the alert.
  • The port of the web interface is now configurable in slips.conf


15 May 13:33
Choose a tag to compare
  • Improve whitelists by better matching of ASNs, domains, and organizations.
  • Whitelist Microsoft, Apple, Twitter, Facebook, and Google alerts by default to reduce false positives.
  • Better unit tests. Thanks to @Sekhar-Kumar-Dash
  • Speed up port scan detections.
  • Fix the issue of overwriting Redis configuration file every run.
  • Add more info to metadata/info.txt for each run.


16 Apr 15:30
Choose a tag to compare
  • Whitelist alerts to all organizations by default to reduce false positives.
  • Improve and compress Slips Docker images.
  • Improve CI and add pre-commit hooks.
  • Fix problem reporting victims in alerts.json.
  • Better docs for the threat intelligence module.
  • Improve whitelists.
  • Better detection threshold to reduce false positives.
  • Better unit tests.
  • Fix problems stopping the daemon.


15 Mar 15:53
Choose a tag to compare
  • Add an option to specify the current client IP in slips.conf to help avoid false positives.
  • Better handling of URLhaus threat intelligence.
  • Change how slips determines the local network of the current client IP.
  • Fix issues with the progress bar.
  • Fix problem logging alerts and errors to alerts.log and erros.log.
  • Fix problem reporting evidence to other peers.
  • Fix problem starting the web interface.
  • Fix whitelists.
  • Improve how the evidence for young domain detections is set.
  • Remove the description of blacklisted IPs from the evidence description and add the source TI feed instead.
  • Set evidence to all young domain IPs when a connection to a young domain is found.
  • Set two evidence in some detections e.g. when the source address connects to a blacklisted IP, evidence is set for both.
  • Use blacklist name instead of IP description in all evidence.
  • Use the latest Redis and NodeJS version in all docker images.


15 Feb 18:02
Choose a tag to compare
  • Improve the logging of evidence in alerts.json and alerts.log.
  • Optimize the storing of evidence in the Redis database.
  • Fix problem of missing evidence, now all evidence is logged correctly.
  • Fix problem adding flows to incorrect time windows.
  • Fix problem setting SSH version changing evidence.
  • Fix problem closing Redis ports using -k.
  • Fix problem closing the progress bar.
  • Fix problem releasing the terminal when Slips is done.


15 Jan 14:30
Choose a tag to compare
  • Faster ensembling of evidence.
  • Log accumulated threat levels of each evidence in alerts.json.
  • Better handling of the termination of the progress bar.
  • Re-add support for tensorflow to the dockers for macOS M1 and macOS M1 P2P.
  • Fix problem setting 'vertical portscan' evidence detected by Zeek.
  • Fix unable to do RDAP lookups
  • Fix stopping Slips daemon.


18 Dec 13:22
Choose a tag to compare
  • Fix using -k to kill opened Redis servers.
  • Better README and docs.
  • Improve URLhaus detections.
  • Improve the detection of vertical and horizontal portscans.
  • Unify disabled module names printed in the CLI.
  • Set the threat level reported to other peers to the max of threat levels seen in any time window.
  • Faster detections of devices changing IPs.
  • Remove the home_network feature from Slips.
  • Faster detection of alerts.
  • Fix the problem of not using 'command and control channel' evidence in the alert of each profile.


16 Nov 13:19
Choose a tag to compare
  • Use All-ID hash to fingerprint flows stored in the flows database.
  • Increase the weight of port scan alerts by increasing its threat level.
  • Fix false positive port scan alerts.
  • Add an option in slips.conf to wait for the update manager to update all TI feeds before starting Slips to avoid missing any blacklisted IPs evidence.
  • Fix error detecting password guessing.
  • Fix issues reading all flows when running on a low-spec device.
  • Improve the stopping of slips and termination of processes.
  • Improve the progress bar.
  • Fix reading flows from stdin.
  • Better code, logs, and unit tests.


15 Sep 13:51
Choose a tag to compare
  • CPU and memory profilers thanks to @danieltherealyang
  • Check DNS queries and answers for whitelisted IPs and domains.
  • Add AID flow hash to all conn.log flows, which is a combination of community_id and the flow's timestamp.
  • SQLite database improvements and better error handling.
  • Add support for exporting Slips alerts to a SQLite database .


30 Jun 15:40
Choose a tag to compare
  • Store flows in SQLite database in the output directory instead of Redis.
  • 55% RAM usage decrease.
  • Support the labeling of flows based on Slips detections.
  • Add support for exporting labeled flows in JSON and tsv formats.
  • Code improvements. Change the structure of all modules.
  • Graceful shutdown of all modules thanks to @danieltherealyang
  • Print the number of evidence generated by Slips when running on PCAPs and interface.
  • Improved the detection of ports that belong to a specific organization.
  • Fix bugs in CYST module.
  • Fix URLhaus evidence description.
  • Fix the freezing progress bar issue.
  • Fix problem starting Slips in docker in Linux.
  • Ignore ICMP scans if the flow has ICMP type 3
  • Improve our whitelist. Slips now checks for whitelisted attackers and victims in the generated evidence.
  • Add embedded documentation in the web interface thanks to @shubhangi013
  • Improved the choosing of random Redis ports using the -m parameter.