Skip to content

Improve mlflow detection #1455

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 509 commits into
base: develop
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
509 commits
Select commit Hold shift + click to select a range
e2e5481
log blocking and unblocking requests and store them in the database
AlyaGomaa May 7, 2025
156d4e1
if a blocked profile generated more than 1 alert, extend its blocking…
AlyaGomaa May 7, 2025
757c0fe
host_ip_manager.py: get the host ip using netifaces
AlyaGomaa May 8, 2025
d14c80a
unblocker: remove debugging logic to test blocking extension
AlyaGomaa May 8, 2025
090ab94
unblocker: fix issue coparing the ts to unblock with the current ts
AlyaGomaa May 8, 2025
19b4c7f
edit debugging prints
AlyaGomaa May 8, 2025
73898b1
edit debugging prints
AlyaGomaa May 8, 2025
8599dfd
fix problem extending the blocking of an already blocked ip
AlyaGomaa May 8, 2025
a692421
keep track of how many extra tws ips are blocked for
AlyaGomaa May 8, 2025
8b26369
unblocker: fix problem updating self.requests when a tw is closed
AlyaGomaa May 8, 2025
b91230b
evidence: if a profiler generates 1+ alerts in the esame tw, log the …
AlyaGomaa May 8, 2025
9f3f2d7
evidence: fix problem getting evidence that were part of a past alert
AlyaGomaa May 8, 2025
e3db63b
remove debugging prints
AlyaGomaa May 8, 2025
b9da216
update blocking module unit tests
AlyaGomaa May 8, 2025
3f8302a
add unblocker unit tests
AlyaGomaa May 9, 2025
fbcfc6d
updat unittests
AlyaGomaa May 9, 2025
da2ecf5
fix convert_ts_format() function name in all unnit tests
AlyaGomaa May 9, 2025
e2d3b96
update evidence handler unit tests
AlyaGomaa May 9, 2025
07f6f9d
pofile_handler: handle the case where the starttime of the first flow…
AlyaGomaa May 9, 2025
9fe676c
update the db unit tests
AlyaGomaa May 9, 2025
ff68631
test_profiler: remove theunit test checking for dropping root privs
AlyaGomaa May 9, 2025
fb416e5
add test_unblocker.py
AlyaGomaa May 9, 2025
416171f
Merge pull request #1457 from stratosphereips/dependabot/pip/install/…
AlyaGomaa May 9, 2025
bbca026
Merge pull request #1453 from stratosphereips/dependabot/pip/install/…
AlyaGomaa May 9, 2025
9382d54
Merge pull request #1452 from stratosphereips/dependabot/pip/install/…
AlyaGomaa May 9, 2025
0e26edf
Merge pull request #1451 from stratosphereips/dependabot/pip/install/…
AlyaGomaa May 9, 2025
757c0db
Merge pull request #1464 from stratosphereips/alya/immune/implement_u…
AlyaGomaa May 9, 2025
1e6d0d1
enable/ disable training and testing.log with a param in the config file
AlyaGomaa May 10, 2025
65206b6
dont create an empty logfile when create_performance_metrics_log_file…
AlyaGomaa May 10, 2025
cdbf9d3
when enabled, create testing.log or training.log in the current outpu…
AlyaGomaa May 10, 2025
68e588a
Add an enum called labels with either Benign or Malicious so the labe…
AlyaGomaa May 10, 2025
705f63d
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
b690ea7
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
00415c7
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
f2de4e9
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
bfc1221
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
e9c16da
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
ff289cb
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
31f5e9c
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
777c76d
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
8c7df7c
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
25d0933
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
e140a0c
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
104379e
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
22244a7
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
f06b6a3
Re add function that alya added
eldraco Mar 15, 2025
9e0355a
delete sys
eldraco Mar 15, 2025
c98a3cd
Delete file that was deleted from develop
eldraco Mar 15, 2025
1a13343
Flowmldetection. Fix missing db reference
eldraco Mar 15, 2025
b7af797
Fix the training of flows with ML in new version
eldraco Mar 18, 2025
3faff9b
Fix the profiler handler for cases of nan in state
eldraco Mar 18, 2025
2e0603b
slips.yaml. Update to have correct labels. By default test. Defaul tr…
eldraco Mar 19, 2025
6f2e3c3
First ipython to tst ML flow related models
eldraco Mar 19, 2025
9a91a80
flowml. If the dataset has one flow and that is deleted, then return …
eldraco Mar 19, 2025
b7c55c1
flowml. If the datasert is empty. Return none
eldraco Mar 19, 2025
1336ced
profile_handler. Small bug in how we handled the profiles, we were us…
eldraco Mar 19, 2025
9dc77cd
First new version of the model and scaler. Not good yet, but working.
eldraco Mar 19, 2025
12e3d93
model and scaler with 1 malicious and 1 benign
eldraco Mar 20, 2025
64fb220
cleaner jupyter
eldraco Mar 20, 2025
83a9128
New models after 3rd ttrain
eldraco Mar 20, 2025
35c0a9f
Models after 4th train
eldraco Mar 25, 2025
71b93a5
Models of ml flow with the first good performance in small tests
eldraco Mar 26, 2025
2c70aa7
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
e04e6c6
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
8a30e90
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
3c7af27
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
561049f
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
da9a6b0
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
48b4255
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
5be432f
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
43f078f
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
6be1da4
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
4c52dd2
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
0b646fa
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
a477d08
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
a74d1c5
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
560a37b
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
5190917
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
567f439
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
626a5c3
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
2c22122
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
6bed5ff
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
d5ea680
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
0e07e32
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
000e892
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
0955f66
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
088d927
mlflow. Ignore UID column
eldraco Jul 29, 2024
51f5f2f
Re add function that alya added
eldraco Mar 15, 2025
38c5d55
Delete file that was deleted from develop
eldraco Mar 15, 2025
c15b430
Flowmldetection. Fix missing db reference
eldraco Mar 15, 2025
dc2ced3
Fix the training of flows with ML in new version
eldraco Mar 18, 2025
76ae27f
flowml. If the dataset has one flow and that is deleted, then return …
eldraco Mar 19, 2025
e216d5b
flowml. If the datasert is empty. Return none
eldraco Mar 19, 2025
90e2344
First new version of the model and scaler. Not good yet, but working.
eldraco Mar 19, 2025
0caa44d
model and scaler with 1 malicious and 1 benign
eldraco Mar 20, 2025
ac2c493
cleaner jupyter
eldraco Mar 20, 2025
b57b591
New models after 3rd ttrain
eldraco Mar 20, 2025
8faa14d
Models after 4th train
eldraco Mar 25, 2025
259169c
Models of ml flow with the first good performance in small tests
eldraco Mar 26, 2025
0789af5
Add plot for flowml train scores
eldraco May 3, 2025
6c4e7f1
Add a log file to store the training data output
eldraco May 3, 2025
d1f4f48
Store data in the log file of training
eldraco May 3, 2025
38347dc
better comments
eldraco May 3, 2025
b9ff8e3
Fix issue not dropping detailed labels
eldraco May 3, 2025
8da3893
Fix issue that not all labels sere given to the partial fit
eldraco May 3, 2025
f1b5b68
count partial labels in this epoch
eldraco May 3, 2025
8448018
Dont print training in screen
eldraco May 3, 2025
7c2b383
Add function to write to train log
eldraco May 3, 2025
ad07f7c
Fix label in dummy flow
eldraco May 3, 2025
d373690
Fix dummy flow
eldraco May 3, 2025
867da84
Rename variable
eldraco May 3, 2025
aeebcbc
Fix dummy flow label
eldraco May 3, 2025
5fef371
Pass values to train function
eldraco May 3, 2025
3d8f125
import os
eldraco May 3, 2025
260d684
Get issue of total flows zero
eldraco May 3, 2025
c65e8f1
Add comments
eldraco May 3, 2025
8ae1221
Rename var name to be more clear
eldraco May 3, 2025
5fbe43a
Rename var name
eldraco May 3, 2025
85ac73d
Fix processeed flows being zero
eldraco May 3, 2025
058b603
Delete old comments
eldraco May 3, 2025
ff9eff1
Fix plots
eldraco May 3, 2025
e55edf8
Fix plot
eldraco May 3, 2025
5fbff61
Fix plot
eldraco May 3, 2025
ff987fc
Fix plot
eldraco May 3, 2025
bf9d720
Plot testing performance from a log
eldraco May 3, 2025
f146fbf
Fix the plot
eldraco May 3, 2025
37bf4f6
Fix the plots
eldraco May 3, 2025
5936fc8
Fix plot
eldraco May 3, 2025
bfc10be
Fix plots
eldraco May 3, 2025
672a109
Fix plots
eldraco May 3, 2025
aa87ed1
Fix plots
eldraco May 3, 2025
148181f
Change plot names
eldraco May 3, 2025
057beb3
Rename file
eldraco May 3, 2025
f8aa2eb
Recover good flowmldetection deleted by mistake
eldraco May 3, 2025
f53d7e6
Fix plot test
eldraco May 3, 2025
6a2c137
Add testing code to evaluate performance. It is optional with a varible
eldraco May 3, 2025
9fd5cff
Fix plots
eldraco May 3, 2025
3b88f41
Fix train plot
eldraco May 3, 2025
9e683fa
Fix plots
eldraco May 3, 2025
632ddbc
Add performance metrics to the training evaluation
eldraco May 3, 2025
1d3346d
Fix experiment names
eldraco May 4, 2025
36129e5
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
a9a38be
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
96e0e65
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
5d655d2
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
8cd019f
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
fdfd7fa
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
5a5b751
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
2400ee2
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
457cf59
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
c35018e
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
311e8de
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
75bb4ea
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
6be9004
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
e08f290
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
5de25cd
Re add function that alya added
eldraco Mar 15, 2025
2b614c8
delete sys
eldraco Mar 15, 2025
7bce2ca
Delete file that was deleted from develop
eldraco Mar 15, 2025
62cf6cd
Flowmldetection. Fix missing db reference
eldraco Mar 15, 2025
4c8f426
Fix the training of flows with ML in new version
eldraco Mar 18, 2025
7a1e10f
Fix the profiler handler for cases of nan in state
eldraco Mar 18, 2025
c76c963
flowml. If the dataset has one flow and that is deleted, then return …
eldraco Mar 19, 2025
74007e8
flowml. If the datasert is empty. Return none
eldraco Mar 19, 2025
deefde0
First new version of the model and scaler. Not good yet, but working.
eldraco Mar 19, 2025
8112079
model and scaler with 1 malicious and 1 benign
eldraco Mar 20, 2025
af5bc46
cleaner jupyter
eldraco Mar 20, 2025
b558c05
New models after 3rd ttrain
eldraco Mar 20, 2025
f8b36d6
Models after 4th train
eldraco Mar 25, 2025
4a448bc
Models of ml flow with the first good performance in small tests
eldraco Mar 26, 2025
a2b5b99
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
5df2e70
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
92316cf
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
eb77826
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
28d2199
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
cbe80f8
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
aa68a90
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
aee1e13
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
fc14125
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
9c95c76
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
1b20f2a
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
2b9ed84
state_handler: split get_final_state_from_flags() into smaller functions
AlyaGomaa Jul 30, 2024
736cf0b
state_handler: refactor get_final_state_from_flags()
AlyaGomaa Jul 30, 2024
2b576c4
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
47d05a0
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
e197df0
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
d95f4c9
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
c9d2395
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
f6de6fe
mlflow. Add a function to convert the state again
eldraco Jul 29, 2024
1b46d82
delete get_final_state_from_flags() from flowmldetection, profiler, a…
AlyaGomaa Jul 30, 2024
299d2ab
mlflow. Ignore UID column
eldraco Jul 29, 2024
06bbbcf
Re add function that alya added
eldraco Mar 15, 2025
98e29a6
Delete file that was deleted from develop
eldraco Mar 15, 2025
045947f
Flowmldetection. Fix missing db reference
eldraco Mar 15, 2025
e793c51
Fix the training of flows with ML in new version
eldraco Mar 18, 2025
57e144c
flowml. If the dataset has one flow and that is deleted, then return …
eldraco Mar 19, 2025
5c56220
flowml. If the datasert is empty. Return none
eldraco Mar 19, 2025
a8c11a8
First new version of the model and scaler. Not good yet, but working.
eldraco Mar 19, 2025
f347752
model and scaler with 1 malicious and 1 benign
eldraco Mar 20, 2025
744a549
cleaner jupyter
eldraco Mar 20, 2025
9682f8c
New models after 3rd ttrain
eldraco Mar 20, 2025
1227487
Models after 4th train
eldraco Mar 25, 2025
237b6ef
Models of ml flow with the first good performance in small tests
eldraco Mar 26, 2025
43aae2e
Add plot for flowml train scores
eldraco May 3, 2025
6f045c7
Add a log file to store the training data output
eldraco May 3, 2025
8a42f14
Store data in the log file of training
eldraco May 3, 2025
f4dd77b
better comments
eldraco May 3, 2025
7e72af1
Fix issue not dropping detailed labels
eldraco May 3, 2025
beaf213
Fix issue that not all labels sere given to the partial fit
eldraco May 3, 2025
5b290a7
count partial labels in this epoch
eldraco May 3, 2025
1cb4482
Dont print training in screen
eldraco May 3, 2025
a38524e
Add function to write to train log
eldraco May 3, 2025
9a888b7
Fix label in dummy flow
eldraco May 3, 2025
8f8a544
Fix dummy flow
eldraco May 3, 2025
d27350f
Rename variable
eldraco May 3, 2025
4242689
Fix dummy flow label
eldraco May 3, 2025
6d561e0
Pass values to train function
eldraco May 3, 2025
50d8921
import os
eldraco May 3, 2025
a7cf82b
Delete old comments
eldraco May 3, 2025
06add41
Fix plots
eldraco May 3, 2025
f516052
Fix plot
eldraco May 3, 2025
d1b2bd8
Fix plot
eldraco May 3, 2025
ba0e9f1
Fix plot
eldraco May 3, 2025
e089bec
Plot testing performance from a log
eldraco May 3, 2025
499f08b
Fix the plot
eldraco May 3, 2025
9007dfb
Fix the plots
eldraco May 3, 2025
fb2e163
Fix plot
eldraco May 3, 2025
acac48b
Fix plots
eldraco May 3, 2025
4196166
Fix plots
eldraco May 3, 2025
dcd73e2
Fix plots
eldraco May 3, 2025
499fe19
Change plot names
eldraco May 3, 2025
8735210
Rename file
eldraco May 3, 2025
a454bd7
Recover good flowmldetection deleted by mistake
eldraco May 3, 2025
3da8002
Fix plot test
eldraco May 3, 2025
d4e2666
Add testing code to evaluate performance. It is optional with a varible
eldraco May 3, 2025
5d2d84a
Fix plots
eldraco May 3, 2025
e400c03
Fix train plot
eldraco May 3, 2025
8983a7f
Fix plots
eldraco May 3, 2025
4cca768
Add performance metrics to the training evaluation
eldraco May 3, 2025
addd26b
Fix experiment names
eldraco May 4, 2025
01a6450
test_profiler: update unit tests
AlyaGomaa May 5, 2025
99a276f
Fix that the training and testing logs files were appened instead of …
eldraco May 5, 2025
cb22b31
Fix an issue of storing the new log files
eldraco May 5, 2025
e0cc7c2
enable/ disable training and testing.log with a param in the config file
AlyaGomaa May 10, 2025
adcbafd
dont create an empty logfile when create_performance_metrics_log_file…
AlyaGomaa May 10, 2025
c45e775
when enabled, create testing.log or training.log in the current outpu…
AlyaGomaa May 10, 2025
b245249
Add an enum called labels with either Benign or Malicious so the labe…
AlyaGomaa May 10, 2025
436d793
update branch with the latest develop
AlyaGomaa May 10, 2025
31a49bd
set the config label as the GT label if not founf in the given file
AlyaGomaa May 12, 2025
a6ad940
By default train and store logs
eldraco May 20, 2025
c7ab0a2
Fix the labels to .value
eldraco May 20, 2025
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .github/workflows/unit-tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@ jobs:
- test_whitelist.py
- test_arp.py
- test_blocking.py
- test_unblocker.py
- test_flow_handler.py
- test_horizontal_portscans.py
- test_http_analyzer.py
Expand Down
6 changes: 3 additions & 3 deletions .secrets.baseline
Original file line number Diff line number Diff line change
Expand Up @@ -149,14 +149,14 @@
"filename": "config/slips.yaml",
"hashed_secret": "4cac50cee3ad8e462728e711eac3e670753d5016",
"is_verified": false,
"line_number": 224
"line_number": 226
},
{
"type": "Secret Keyword",
"filename": "config/slips.yaml",
"hashed_secret": "d033e22ae348aeb5660fc2140aec35850c4da997",
"is_verified": false,
"line_number": 394
"line_number": 396
}
],
"dataset/test14-malicious-zeek-dir/http.log": [
Expand Down Expand Up @@ -7192,5 +7192,5 @@
}
]
},
"generated_at": "2025-02-13T22:47:52Z"
"generated_at": "2025-05-10T13:18:46Z"
}
15 changes: 8 additions & 7 deletions config/slips.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,6 @@ parameters:
# For 5 min
# time_window_width : 300
# For 1 hour
# time_window_width : 3600
time_window_width: 3600
# For 1 day
# time_window_width = 86400
Expand Down Expand Up @@ -106,13 +105,12 @@ parameters:
deletePrevdb: true

# Set the label for all the flows that are being read.
# For now only normal and malware directly. No option for setting labels
# with a filter
# For now only Benign and Malicious (Capitalized)
# The purpose is to be used in the training of ML models and to output
# flows with labels for other tools.
# label: malicious
# label: unknown
label: normal
# label: Malicious
# label: Benign
label: Benign
# If Zeek files are rotated or not to avoid running out of disk.
# Zeek rotation is enabled by default when using an interface,
# which means Slips will delete all Zeek log files after 1 day
Expand Down Expand Up @@ -214,7 +212,10 @@ flowmldetection:
# training the models, to test in unknown data.
# You should have trained at least once with 'Normal' data and once with
# 'Malicious' data in order for the test to work.
mode: test
mode: train
# creates an extra log file called training.log/testing.log in the
# ouptput dir with performance metrics depending on the mode.
create_performance_metrics_log_files: True

#############################
virustotal:
Expand Down
2 changes: 1 addition & 1 deletion docs/architecture.md
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ Slips is heavily based on the Zeek monitoring tool as input tool for packets fro
Figure 1 shows how the data is analyzed by Slips.
As we can see, Slips internally uses <a href="https://zeek.org/">Zeek</a>, an
open source network security monitoring tool. Slips divides flows into profiles and
each profile into a timewindows.
each profile into a timewindows, timewindows are numbered from 1 to infinity.
Slips runs detection modules on each flow and stores all evidence,
alerts and features in an appropriate profile structure.
All profile info, performed detections, profiles and timewindows' data,
Expand Down
8 changes: 4 additions & 4 deletions install/requirements.txt
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
maxminddb==2.6.3
maxminddb==2.7.0
numpy==1.26.4
watchdog==5.0.0
redis==5.2.1
Expand All @@ -10,7 +10,7 @@ stix2==3.0.1
certifi==2025.4.26
tensorflow==2.16.1
Keras
validators==0.34.0
validators==0.35.0
ipwhois==1.2.0
matplotlib==3.10.1
scikit_learn
Expand All @@ -29,12 +29,12 @@ pytest-dependency==0.6.0
whois==1.20240129.2
flask
tldextract==5.3.0
termcolor==3.0.1
termcolor==3.1.0
yappi==1.6.10
pytest-sugar==1.0.0
aid_hash
black==24.10.0
ruff==0.11.7
ruff==0.11.8
pre-commit==4.0.1
coverage==7.8.0
netifaces==0.11.0
Expand Down
32 changes: 11 additions & 21 deletions managers/host_ip_manager.py
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
# SPDX-FileCopyrightText: 2021 Sebastian Garcia <[email protected]>
# SPDX-License-Identifier: GPL-2.0-only
import socket
import time
import netifaces
from typing import (
Set,
Optional,
Expand All @@ -16,29 +16,19 @@ def __init__(self, main):

def get_host_ip(self) -> Optional[str]:
"""
tries to determine the machine's IP address by creating a UDP
connection to cloudflare
returns ipv4 or ipv6 of the current computer
tries to determine the machine's IP
"""
for address_family in (socket.AF_INET, socket.AF_INET6):
try:
s = socket.socket(address_family, socket.SOCK_DGRAM)
interfaces = netifaces.interfaces()

test_address = (
("1.1.1.1", 80)
if address_family == socket.AF_INET
else ("2606:4700:4700::1111", 80)
)

s.connect(test_address)
ipaddr_check = s.getsockname()[0]
s.close()
return ipaddr_check
except socket.error:
for iface in interfaces:
addrs = netifaces.ifaddresses(iface)
# check for IPv4 address
if netifaces.AF_INET not in addrs:
continue

# neither ipv4 nor ipv6 worked
return None
for addr in addrs[netifaces.AF_INET]:
ip = addr.get("addr")
if ip and not ip.startswith("127."):
return ip

def store_host_ip(self) -> Optional[str]:
"""
Expand Down
2 changes: 1 addition & 1 deletion managers/metadata_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,7 @@ def set_analysis_end_date(self, end_date):
if not self.enable_metadata:
return

end_date = utils.convert_format(end_date, utils.alerts_format)
end_date = utils.convert_ts_format(end_date, utils.alerts_format)
self.main.db.set_input_metadata({"analysis_end": end_date})

# add slips end date in the metadata dir
Expand Down
164 changes: 96 additions & 68 deletions managers/process_manager.py
Original file line number Diff line number Diff line change
Expand Up @@ -242,92 +242,120 @@ def is_abstract_module(self, obj) -> bool:

def get_modules(self):
"""
Get modules from the 'modules' folder.
get modules to load from the modules/ dir and ignore the ones in
the disable param in the config file.
Starts the blocking module only if --clearblocking in given
and returns a list of modules to load in the correct order if
applicable.
"""
# This plugins import will automatically load the modules
# and put them in the __modules__ variable
plugins = {}
failed_to_load_modules = 0

for module_name in self._discover_module_names():
if not self._should_load_module(module_name):
continue

module = self._import_module(module_name)
if not module:
failed_to_load_modules += 1
continue

plugins = self._load_valid_classes_from_module(module, plugins)

plugins = self._reorder_modules(plugins)
return plugins, failed_to_load_modules

def _reorder_modules(self, plugins):
plugins = self._prioritize_blocking_module(plugins)
plugins = self._start_cyst_module_last(plugins)
return plugins

def _discover_module_names(self):
"""
walk recursively through all modules and packages found in modules/
"""
# __path__ is the current path of this python program
look_for_modules_in = modules.__path__
prefix = f"{modules.__name__}."
# Walk recursively through all modules and packages found on the .
# folder.

for loader, module_name, ispkg in pkgutil.walk_packages(
look_for_modules_in, prefix
):
# If current item is a package, skip.
if ispkg:
continue
continue # skip if current item is a package

dir_name, file_name = module_name.split(".")[1:3]

# to avoid loading everything in the dir,
# only load modules that have the same name as the dir name
dir_name = module_name.split(".")[1]
file_name = module_name.split(".")[2]
if dir_name != file_name:
continue

if self.bootstrap_p2p: # if bootstrapping the p2p network
if not self.is_bootstrapping_module(
module_name
): # keep only the bootstrapping-necessary modules
continue
else: # if not bootstrappig mode
if self.is_ignored_module(
module_name
): # ignore blacklisted modules
continue

# Try to import the module, otherwise skip.
try:
# "level specifies whether to use absolute or relative imports.
# The default is -1 which
# indicates both absolute and relative imports will
# be attempted.
# 0 means only perform absolute imports.
# Positive values for level indicate the number of parent
# directories to search relative to the directory of the
# module calling __import__()."
module = importlib.import_module(module_name)
except ImportError as e:
print(
f"Something wrong happened while "
f"importing the module {module_name}: {e}"
)
print(traceback.format_exc())
failed_to_load_modules += 1
continue

# Walk through all members of currently imported modules.
for member_name, member_object in inspect.getmembers(module):
# Check if current member is a class.
if inspect.isclass(member_object) and (
issubclass(member_object, IModule)
and not self.is_abstract_module(member_object)
):
plugins[member_object.name] = dict(
obj=member_object,
description=member_object.description,
)
if dir_name == file_name:
yield module_name

def _should_load_module(self, module_name):
# filter modules based on bootstrapping or blacklist conditions
if self.bootstrap_p2p:
if not self.is_bootstrapping_module(module_name):
return False # keep only the bootstrapping-necessary modules
else:
if self.is_ignored_module(module_name):
return False # ignore blacklisted modules
return True

# Change the order of the blocking module(load it first)
def _import_module(self, module_name):
# try to import the module, otherwise return None
try:
# "level" specifies how importlib should resolve the module
return importlib.import_module(module_name)
except ImportError as e:
print(
f"Something wrong happened while importing the module"
f" {module_name}: {e}"
)
print(traceback.format_exc())
return None

def _load_valid_classes_from_module(self, module, plugins):
# walk through all members of the given module
for member_name, member_object in inspect.getmembers(module):
if inspect.isclass(member_object):
if issubclass(
member_object, IModule
) and not self.is_abstract_module(member_object):
plugins[member_object.name] = {
"obj": member_object,
"description": member_object.description,
}
return plugins

def _prioritize_blocking_module(self, plugins):
# change the order of the blocking module (load it first)
# so it can receive msgs sent from other modules
if "Blocking" in plugins:
plugins = OrderedDict(plugins)
# last=False to move to the beginning of the dict
plugins.move_to_end("Blocking", last=False)

if "Blocking" not in plugins:
return plugins

ordered = OrderedDict(plugins)
ordered.move_to_end(
"Blocking", last=False
) # last=False to move to the beginning of the dict
plugins.clear()
plugins.update(ordered)
return plugins

def _start_cyst_module_last(self, plugins):
# when cyst starts first, as soon as slips connects to cyst,
# cyst sends slips the flows,
# but the inputprocess didn't even start yet so the flows are lost
# to fix this, change the order of the CYST module(load it last)
if "cyst" in plugins:
plugins = OrderedDict(plugins)
# last=False to move to the beginning of the dict
plugins.move_to_end("cyst", last=True)

return plugins, failed_to_load_modules
# to fix this, change the order of the CYST module (load it last)
if "cyst" not in plugins:
return plugins

ordered = OrderedDict(plugins)
ordered.move_to_end(
"cyst", last=True
) # last=True to move to the end of the dict
plugins.clear()
plugins.update(ordered)
return plugins

def print_disabled_modules(self):
print("-" * 27)
Expand Down Expand Up @@ -515,7 +543,7 @@ def get_analysis_time(self) -> Tuple[str, str]:
returns analysis_time in minutes and slips end_time as a date
"""
start_time = self.main.db.get_slips_start_time()
end_time = utils.convert_format(datetime.now(), "unixtimestamp")
end_time = utils.convert_ts_format(datetime.now(), "unixtimestamp")
return (
utils.get_time_diff(start_time, end_time, return_type="minutes"),
end_time,
Expand Down
Loading
Loading