forked from stratosphereips/StratosphereLinuxIPS
-
Notifications
You must be signed in to change notification settings - Fork 0
/
slips.conf
176 lines (126 loc) · 6.9 KB
/
slips.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
# This configuration file controls several aspects of the working of Slips
#####################
# [1] Input Processing
# Regular expresions to separate the columns
[regexes]
# If not specified no format checking occures on that column.
# This could be helpful when slips receives different input formats on the same port.
# By default columns are verified to see if they are comma separated or TAB separated.
column0 = r'\d{1,2}:\d{1,2}:\d{2,4}\s\d{1,2}:\d{1,2}:\d{1,2}.\d+'
column1 = r'\d+'
# Format of the timestamp used in the column startTime. This is the default used by slips. Remember to always use our ra.conf file when reading flows into slips.
[timestamp]
# For timestamps as second leave not defined.
# Default format for argus flows in slips
#format = %Y/%m/%d %H:%M:%S.%f
# Other format
#format = %m-%d-%y %H:%M:%S.%f
#####################
# [2] Logging of Errors
# This controls the debug output of slips in a log file. The logging is related to errors and situations about the working of the program.
[logging]
logfile = ./slips.log
# Minimum debug level to show. From the level selected, down, everything will be shown
# logging.DEBUG Detailed information, typically of interest only when diagnosing problems.
# logging.INFO Confirmation that things are working as expected.
# logging.WARNING An indication that something unexpected happened, or indicative of some problem in the near future (e.g. ‘disk space low’). The software is still working as expected.
# logging.ERROR Due to a more serious problem, the software has not been able to perform some function.
# logging.CRITICAL A serious error, indicating that the program itself may be unable to continue running.
loglevel = WARNING
# The loglevel works for the file, but the console log is fixed to CRITICAL. This is different from the debug parameter.
#####################
# [3] Parameters that can be also specified with modifiers in the command line
# [3.1] This controls the output of slips in the console
[parameters]
# The verbosity is related to how much data you want to see about the detections useful for an administrator, behaviors, normal and malicious traffic, etc.
verbose = 2
# The debugging is related to how much you want to see about the inner workings of the algorithm, how the models are compared, the flows coming from the file, etc.
debug = 1
# [3.2] The width of the time window used
# 1 minute
#time_window_width = 60
# 5 min
#time_window_width = 300
# 1 hour
time_window_width = 3600
# 1 day
#time_window_width = 86400
# One time window only. Is like if not time windows were used. Beware that the names of the files for the TW have a year in the name that is 100 years back.
#time_window_width = 'only_one_tw'
# [3.3] Home Network
#home_network = 192.168.0.0/16
#home_network = 10.0.0.0/8
#home_network = 172.16.0.0/12
#home_network = 147.32.0.0/16
# The home_network variable can also be an individual IP address, so you can focus on a specific host
#home_network = 10.0.0.123
# [3.4] How often should we create log files? In seconds
log_report_time = 5
# [3.5] Analyze only what goes OUT of the home_net? or also what is coming IN the home_net?
# Options: out, all
# In the _out_ configuration we only pay attention to what each IP in the home net _produces_. We look at the traffic _originating_ from the home net only. The behavior of each IP. If its attacked from the outside we don't process that
analysis_direction = out
# In the _all_ configuration we still only create 1 profile for each IP in the home net (opposite to 1 profile for each external IP connecting to the home net), but when the external IPs connect to the hosts int he home net, we process that traffic also.
# This is useful if you want to know how you are attacked also.
#analysis_direction = all
# Parameter to know if we should create the log files or not. Only yes or no
create_log_files = yes
# Default pcap packet filter. Used with zeek
#pcapfilter = 'ip or not ip'
# If you want more important traffic and forget the multicast and broadcast stuff, you can use
#pcapfilter = 'not icmp and not multicast and not broadcast and not arp and not port 5353 and not port 67'
pcapfilter = ''
# Should we delete the previously stored data in the DB when we start??
# By default False. Meaning we DELETE the DB by default.
deletePrevdb = True
# You can remember the data in all the previous runs of the DB if you put False. Redis will remember as long as the redis server is not down. The persistance is on the memory, not disk.
#deletePrevdb = False
# Set the label for all the flows that are being read. For now only normal and malware directly. No option for setting labels with a filter
#label = normal
label = malicious
#####################
# [4] Configuration for the detections
[detection]
# This threshold means: minimum confirmed attacks per minute needed to generate an alert
evidence_detection_threshold = 0.1
#evidence_detection_threshold = 0.25
#evidence_detection_threshold = 1
#evidence_detection_threshold = 2
#evidence_detection_threshold = 10
#####################
# [5] Generic Confs for the modules or to process the modules
[modules]
# List of modules to ignore. By default we always ignore the template! do not remove it from the list
#disable = ['TemplateModule', 'mldetection1']
#disable = ['TemplateModule','cc-detector-1', 'threatintelligence1']
disable = ['TemplateModule','cc-detector-1', 'mldetection-1']
# Example, do not load the geoip module
#disable = ['GeoIP', 'TemplateModule']
# Default Path to the folder with files holding malcious IPs
# All the files in this folder are read and the IPs are considered malicious
# The format of the files must be, per line:
# ip,description
malicious_ip_file_path = modules/ThreatIntelligence1/malicious_ips_files/
# For each line in timeline file there is timestamp. By default the timestamp is seconds in unix time. However
# by setting this variable to "True" value the time will be human readable.
timeline_human_timestamp = True
# Update period of malicious IPs in Threat Intelligence module. How often should we update the malicious IPs?
# The expected value in seconds.
# 1 day = 86400 seconds
malicious_ips_update_period = 86400
#####################
# [6] Specific configuration for the module MLdetection1
[MLdetection1]
# The mode 'train' should be used to tell the MLdetection1 module that the flows received are all for training.
# A label should be provided
#mode = train
# The mode 'test' should be used after training the models, to test in unknown data.
# You should have trained at least once with 'Normal' data and once with 'Malicious' data in order for the test to work.
mode = test
#####################
# [7] Configuration of the VT module
[virustotal]
# This is the path to the API key. The file should contain the key at the start of the first line, and nothing more.
# If no key is found, VT module will not be started.
#api_key_file = modules/virustotal/api_key_slow
api_key_file = modules/virustotal/api_key_secret