Merge pull request #1861 from stratosphereips/develop

Slips v1.1.19

Author: AlyaGomaa

.github/workflows/integration-tests.yml

@@ -55,7 +55,7 @@ jobs:
 
       - name: Upload Artifacts
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           # Replaces slashes with underscores for valid artifact naming
           name: ${{ github.run_id }}-${{ strategy.job-index }}-integration-output

.github/workflows/unit-tests.yml

@@ -56,7 +56,7 @@ jobs:
 
       - name: Upload Artifacts
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: test_slips-output-${{ strategy.job-index }}
           path: |

.secrets.baseline

@@ -149,7 +149,7 @@
         "filename": "config/slips.yaml",
         "hashed_secret": "4cac50cee3ad8e462728e711eac3e670753d5016",
         "is_verified": false,
-        "line_number": 268
+        "line_number": 278
       }
     ],
     "dataset/test14-malicious-zeek-dir/http.log": [
@@ -7185,5 +7185,5 @@
       }
     ]
   },
-  "generated_at": "2026-03-02T22:46:58Z"
+  "generated_at": "2026-03-27T14:25:16Z"
 }

AGENTS.md

@@ -0,0 +1,42 @@
+# AGENTS.md
+
+## Project overview
+- Entry point: `slips.py` (starts the main process, spawns modules, runs in interactive/daemon modes).
+- Core framework code lives in `slips/`, `slips_files/`, and `managers/`.
+- Detection/analysis modules are in `modules/` (implement the `IModule` interface).
+- Configuration is in `config/` (main config: `config/slips.yaml`).
+- Tests live under `tests/` (unit + integration suites).
+- Documentation is in `docs/` (see `docs/contributing.md` for contribution workflow, branching, and PR expectations).
+- UIs/tools: `SlipsWeb/`, `webinterface/`, `webinterface.sh`, and `kalipso.sh`.
+
+## Build and test commands
+- Run locally (no build step):
+  - `./slips.py -e 1 -f dataset/test7-malicious.pcap -o output_dir`
+- Build the Docker image (from `docs/installation.md`):
+  - `docker build --no-cache -t slips -f docker/Dockerfile .`
+  - If build networking fails: `docker build --network=host --no-cache -t slips -f docker/Dockerfile .`
+- Run the Docker image:
+  - `docker run -it --rm --net=host slips`
+
+## Code style guidelines
+- Python formatting is enforced via pre-commit:
+  - Black with `--line-length 79` (see `.pre-commit-config.yaml`).
+  - Ruff is used for linting and autofixes.
+- Keep docstrings at the top of files where present (pre-commit `check-docstring-first`).
+- Maintain clean whitespace (no trailing whitespace, final newline).
+- Follow existing module patterns (`IModule` in `slips_files/common/abstracts/module.py`).
+
+## Testing instructions
+- The canonical test runner is `tests/run_all_tests.sh` (runs unit tests then integration tests).
+- Equivalent manual sequence (from `tests/run_all_tests.sh`):
+  - `./slips.py -cc`
+  - `printf "0" | ./slips.py -k`
+  - `python3 -m pytest tests/ --ignore="tests/integration_tests" -n 7 -p no:warnings -vvvv -s`
+  - `python3 tests/destrctor.py`
+  - `./slips.py -cc`
+  - `printf "0" | ./slips.py -k`
+  - `python3 -m pytest -s tests/integration_tests/test_portscans.py -p no:warnings -vv`
+  - `python3 -m pytest -s tests/integration_tests/test_dataset.py -p no:warnings -vv`
+  - `python3 -m pytest -s tests/integration_tests/test_config_files.py -p no:warnings -vv`
+  - `printf "0" | ./slips.py -k`
+  - `./slips.py -cc`

CHANGELOG.md

@@ -1,3 +1,11 @@
+1.1.19 (Mar 31st, 2026)
+
+* Add SSH bruteforce detection based on Zeek SSH, software, and notice logs.
+* Improve performance under high-throughput traffic with parallel evidence handling, profiler/input optimizations.
+* Fix issues while slips is shutting down.
+* Add optional performance plots and CSV metrics for latency, throughput, and resource usage.
+* Fix skipped first-flow processing and reduce shutdown race conditions on small files and PCAPs.
+
 1.1.18 (Mar 3rd, 2026)
 
 * Add the HTTPS anomaly detection module with adaptive baselines, confidence scoring, and detailed evidence reasons.

README.md

@@ -1,5 +1,5 @@
 <h1 align="center">
-Slips v1.1.18
+Slips v1.1.19
 </h1>
 
 

VERSION

@@ -1 +1 @@
-1.1.18
+1.1.19

config/slips.yaml

@@ -163,6 +163,16 @@ parameters:
   # client_ips : [10.0.0.1, 11.0.0.0/24]
   client_ips: []
 
+#############################
+Debug:
+  # Generate latency, throughput, and other performance related CSV files and plots in output/performance_plots/ for debugging
+  # When enabled, Slips records extra per-flow/per-minute performance data from
+  # input, profiler workers, and evidence handling, then generates summary plots
+  # during shutdown. Keep this disabled for normal runs because it adds extra
+  # bookkeeping and disk writes.
+  #  available options are true/false
+  generate_performance_plots: false
+
 #############################
 detection:
 
@@ -215,6 +225,12 @@ flowmldetection:
   # 'Malicious' data in order for the test to work.
   mode: test
 
+#############################
+bruteforcing:
+  # Minimum number of SSH attempts from one source to one destination
+  # before Slips considers it brute forcing.
+  ssh_attempt_threshold: 9
+
 #############################
 anomaly_detection_https:
   # Number of initial hours used to train the baseline model assuming benign traffic.

dataset/test19-malicious-ssh/README.md

@@ -0,0 +1,5 @@
+## SSH Bruteforce
+Using nmap to bruteforce SSH with 1 user and 40 passwords in port 902/TCP with SSH.
+
+Command
+`nmap -p 902 --script ssh-brute --script-args userdb=users.lst,passdb=pass.lst,ssh-brute.timeout=4s 147.32.80.37 -sV`