Skip to content

Commit

Permalink
Merge pull request #430 from stratosphereips/alya/remove_home_network
Browse files Browse the repository at this point in the history 
Remove the home network feature from Slips
  • Loading branch information
@AlyaGomaa
AlyaGomaa authored Dec 7, 2023
2 parents ceb3436 + ccf3ce7 commit e985d89
Show file tree
Hide file tree
Showing 14 changed files with 13 additions and 213 deletions.
1 change: 0 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -210,7 +210,6 @@ Slips can be run on different platforms, the easiest and most recommended way if
Slips has a [config/slips.conf](https://github.com/stratosphereips/StratosphereLinuxIPS/blob/develop/config/slips.conf) that contains user configurations for different modules and general execution.

* You can change the timewindow width by modifying the ```time_window_width``` parameter
* you can set your own home network to make sure you only see the analysis of your local network by setting the home_network parameter
* You can change the analysis direction to ```all``` if you want to see the attacks from and to your computer
* You can also specify whether to ```train``` or ```test``` the ML models

Expand Down
18 changes: 4 additions & 14 deletions config/slips.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,9 @@ logsfile = slips.log

#####################

# [1] Parameters that can be also specified with modifiers in the command line
# Parameters that can be also specified with modifiers in the command line

# [1.1] This controls the output of slips in the console
# This controls the output of slips in the console
[parameters]
# The verbosity is related to how much data you want to see about the
# detections useful for an administrator,
Expand All @@ -27,7 +27,7 @@ verbose = 1
# The debugging is related to errors, warnings and cases that may cause errors
debug = 0

# [1.2] The width of the time window used
# The width of the time window used
# 1 minute
#time_window_width = 60
# 5 min
Expand All @@ -41,19 +41,9 @@ time_window_width = 3600
# a year in the name that is 100 years back.
#time_window_width = 'only_one_tw'

# [1.3] Home Network
# if not defined, we create profiles for all the ips we see, should be added
# in the list like the following examples
#home_network = [192.168.0.0/16, 10.0.0.0/8, 172.16.0.0/12]
#home_network = [10.0.0.0/8]
#home_network = [192.168.0.0/16]
#home_network = [172.16.0.0/12]
#home_network = [147.32.0.0/16]

#The home_network variable can also be 1 IP address, so you can focus on a specific host
# home_network = [192.168.2.16/32]

# [1.5] Analyze only what goes OUT of the home_net? or also what is coming IN the home_net?
# Analyze only what goes OUT of the home_net? or also what is coming IN the home_net?
# Options: out, all
# In the _out_ configuration we only pay attention to what each IP in the home
# net _produces_. We look at the traffic
Expand Down
Binary file modified docs/images/directions.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
22 changes: 0 additions & 22 deletions docs/usage.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -506,28 +506,6 @@ Each IP address that appears in the network traffic of the input is represented

```time_window_width```

**Home Network**

Slips can use your home network if you want to focus on analysing
IPs in side your home network only

the ```home_network``` parameter can be 1 network

home_network = [147.32.0.0/16]

or several networks when roaming:

home_network = [192.168.0.0/16, 10.0.0.0/8]

When the ```home_network``` parameter is set, slips creates profiles
only for ips inside the home network, check the analysis direction below for more info.

The ```home_network``` parameter also supports one host as an argument,
which is written like this ```[192.168.2.16/32]```.
When 1 host is set, slips will only create profiles for this 1 IP ```192.168.2.16```

By default, the home_network parameter is not set, which means slips will
create profiles for every IP it sees in the network

**Analysis Direction**

Expand Down
17 changes: 0 additions & 17 deletions slips_files/common/parsers/config_parser.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,23 +99,6 @@ def get_pastebin_download_threshold(self):
def get_all_homenet_ranges(self):
return self.home_network_ranges

def get_home_network(self):
"""
Returns a list of network objects if defined in slips.conf. or False
"""
if home_net := self.read_configuration(
'parameters', 'home_network', False
):
# we have home_network param set in slips.conf
home_nets = home_net.replace(']','').replace('[','').split(',')
home_nets = [network.strip() for network in home_nets]
return list(map(ipaddress.ip_network, home_nets))
else:
# return self.home_network_ranges_str
return False



def evidence_detection_threshold(self):
threshold = self.read_configuration(
'detection', 'evidence_detection_threshold', 2
Expand Down
2 changes: 0 additions & 2 deletions slips_files/core/database/database_manager.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -740,8 +740,6 @@ def add_timeline_line(self, *args, **kwargs):
def get_timeline_last_lines(self, *args, **kwargs):
return self.rdb.get_timeline_last_lines(*args, **kwargs)

def should_add(self, *args, **kwargs):
return self.rdb.should_add(*args, **kwargs)

def mark_profile_as_gateway(self, *args, **kwargs):
return self.rdb.mark_profile_as_gateway(*args, **kwargs)
Expand Down
11 changes: 2 additions & 9 deletions slips_files/core/database/redis_db/database.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,7 +171,6 @@ def _read_configuration(cls):
conf = ConfigParser()
cls.deletePrevdb = conf.deletePrevdb()
cls.disabled_detections = conf.disabled_detections()
cls.home_network = conf.get_home_network()
cls.width = conf.get_tw_width_as_float()

@classmethod
Expand Down Expand Up @@ -1099,20 +1098,14 @@ def get_passive_dns(self, ip):

def get_reconnections_for_tw(self, profileid, twid):
"""Get the reconnections for this TW for this Profile"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
data = self.r.hget(profileid + self.separator + twid, 'Reconnections')
data = self.r.hget(f"{profileid}_{twid}", 'Reconnections')
data = json.loads(data) if data else {}
return data

def setReconnections(self, profileid, twid, data):
"""Set the reconnections for this TW for this Profile"""
data = json.dumps(data)
self.r.hset(
profileid + self.separator + twid, 'Reconnections', str(data)
)
self.r.hset(f"{profileid}_{twid}", 'Reconnections', str(data))

def get_host_ip(self):
"""Get the IP addresses of the host from a db. There can be more than one"""
Expand Down
8 changes: 0 additions & 8 deletions slips_files/core/database/redis_db/ioc_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -171,10 +171,6 @@ def set_malicious_ip(self, ip, profileid, twid):
Save in DB malicious IP found in the traffic
with its profileid and twid
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
# Retrieve all profiles and twis, where this malicios IP was met.
ip_profileid_twid = self.get_malicious_ip(ip)
try:
Expand All @@ -199,10 +195,6 @@ def set_malicious_domain(self, domain, profileid, twid):
Save in DB a malicious domain found in the traffic
with its profileid and twid
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
# get all profiles and twis where this IP was met
domain_profiled_twid = self.get_malicious_domain(domain)
try:
Expand Down
82 changes: 2 additions & 80 deletions slips_files/core/database/redis_db/profile_handler.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,10 +89,6 @@ def get_timewindow(self, flowtime, profileid):
try:
# First check if we are not in the last TW. Since this will be the majority of cases
try:
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
[(lasttwid, lasttw_start_time)] = self.get_last_twid_of_profile(profileid)
lasttw_start_time = float(lasttw_start_time)
lasttw_end_time = lasttw_start_time + self.width
Expand Down Expand Up @@ -607,10 +603,6 @@ def get_data_from_profile_tw(
:param type_data: can be 'Ports' or 'IPs'
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

try:
# key_name = [Src,Dst] + [Port,IP] + [Client,Server] + [TCP,UDP, ICMP, ICMP6] + [Established,
Expand Down Expand Up @@ -815,10 +807,6 @@ def get_all_contacted_ips_in_profileid_twid(self, profileid, twid) -> dict:
"""
Get all the contacted IPs in a given profile and TW
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return {}
all_flows: dict = self.db.get_all_flows_in_profileid_twid(profileid, twid)
if not all_flows:
return {}
Expand Down Expand Up @@ -1419,12 +1407,9 @@ def add_mac_addr_to_profile(self, profileid: str, mac_addr: str):
PS: it doesn't deal with the MAC vendor
"""
if (
not profileid
or not mac_addr
not mac_addr
or '0.0.0.0' in profileid
):
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False


Expand Down Expand Up @@ -1523,10 +1508,6 @@ def get_mac_addr_from_profile(self, profileid: dict) \
Returns MAC address of the given profile as a str, or None
returns the info from the profileid key.
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return None

return self.r.hget(profileid, 'MAC')

Expand Down Expand Up @@ -1588,10 +1569,6 @@ def get_user_agent_from_profile(self, profileid) -> str:
Returns a dict of {'os_name', 'os_type', 'browser': , 'user_agent': }
used by a certain profile or None
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

if user_agent := self.get_first_user_agent(profileid):
# user agents may be OpenSSH_8.6 , no need to deserialize them
Expand All @@ -1603,10 +1580,6 @@ def mark_profile_as_dhcp(self, profileid):
"""
Used to mark this profile as dhcp server
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

# returns a list of dhcp if the profile is in the db
profile_in_db = self.r.hmget(profileid, 'dhcp')
Expand All @@ -1624,13 +1597,10 @@ def addProfile(self, profileid, starttime, duration):
Duration is only needed for registration purposes in the profile. Nothing operational
"""
try:
# make sure we don't add public ips if the user specified a home_network
if self.r.sismember('profiles', str(profileid)):
# we already have this profile
return False
# execlude ips outside of local network is it's set in slips.conf
if not self.should_add(profileid):
return False

# Add the profile to the index. The index is called 'profiles'
self.r.sadd('profiles', str(profileid))
# Create the hashmap with the profileid. The hasmap of each profile is named with the profileid
Expand Down Expand Up @@ -1661,10 +1631,6 @@ def set_profile_module_label(self, profileid, module, label):
A module label is a label set by a module, and not
a groundtruth label
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
data = self.get_profile_modules_labels(profileid)
data[module] = label
data = json.dumps(data)
Expand Down Expand Up @@ -1855,20 +1821,12 @@ def get_profile_modules_labels(self, profileid):
"""
Get labels set by modules in the profile.
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return {}
data = self.r.hget(profileid, 'modules_labels')
data = json.loads(data) if data else {}
return data

def add_timeline_line(self, profileid, twid, data, timestamp):
"""Add a line to the timeline of this profileid and twid"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return
self.print(f'Adding timeline for {profileid}, {twid}: {data}', 3, 0)
key = str(
profileid + self.separator + twid + self.separator + 'timeline'
Expand All @@ -1883,10 +1841,6 @@ def get_timeline_last_lines(
self, profileid, twid, first_index: int
) -> Tuple[str, int]:
"""Get only the new items in the timeline."""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return [], []
key = str(
profileid + self.separator + twid + self.separator + 'timeline'
)
Expand All @@ -1896,29 +1850,11 @@ def get_timeline_last_lines(
data = self.r.zrange(key, first_index, last_index - 1)
return data, last_index

def should_add(self, profileid: str) -> bool:
"""
determine whether we should add the given profile to the db or not based on the home_network param
is the user specified the home_network param, make sure the given profile/ip belongs to it before adding
"""
# make sure the user specified a home network
if not self.home_network:
# no home_network is specified
return True

ip = profileid.split(self.separator)[1]
ip_obj = ipaddress.ip_address(ip)

return any(ip_obj in network for network in self.home_network)

def mark_profile_as_gateway(self, profileid):
"""
Used to mark this profile as dhcp server
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

self.r.hset(profileid, 'gateway', 'true')

Expand All @@ -1936,23 +1872,13 @@ def get_mac_vendor_from_profile(
"""
Returns a str MAC vendor of the given profile or None
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

return self.r.hget(profileid, 'MAC_vendor')

def get_hostname_from_profile(self, profileid: str) -> str:
"""
Returns hostname about a certain profile or None
"""

if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False

return self.r.hget(profileid, 'host_name')

def add_host_name_to_profile(self, hostname, profileid):
Expand All @@ -1979,10 +1905,6 @@ def get_the_other_ip_version(self, profileid):
Given an ipv4, returns the ipv6 of the same computer
Given an ipv6, returns the ipv4 of the same computer
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return False
srcip = profileid.split('_')[-1]
ip = False
if validators.ipv4(srcip):
Expand Down
9 changes: 0 additions & 9 deletions slips_files/core/database/sqlite_db/database.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,10 +116,6 @@ def get_altflow_from_uid(self, profileid, twid, uid) -> dict:
return False

def get_all_contacted_ips_in_profileid_twid(self, profileid, twid) -> dict:
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return {}
all_flows: dict = self.get_all_flows_in_profileid_twid(profileid, twid)

if not all_flows:
Expand Down Expand Up @@ -151,11 +147,6 @@ def get_all_flows_in_profileid(self, profileid):
Return a list of all the flows in this profileid
[{'uid':flow},...]
"""
if not profileid:
# profileid is None if we're dealing with a profile
# outside of home_network when this param is given
return []

condition = f'profileid = "{profileid}"'
flows = self.select('flows', condition=condition)
all_flows = {}
Expand Down
Loading

0 comments on commit e985d89

Please sign in to comment.