11# This configuration file controls several aspects of the working of Slips.
22
33---
4- modes :
4+ output :
55 # Define the file names for the default output.
66 stdout : slips.log
77 stderr : errors.log
8- logsfile : slips.log
8+ logs : slips.log
99
1010# ############################
11- # Parameters that can be also specified with modifiers in the command line
1211
1312parameters :
1413 # The verbosity is related to how much data you want to see about the
@@ -77,6 +76,11 @@ parameters:
7776 # whitelist file, current commit and date
7877 metadata_dir : true
7978
79+ # This directory stores databases and runtime-generated files that must
80+ # persist across different slips runs and should not be overwritten.
81+ # this dir is inside slips root dir.
82+ permanent_dir : permanent
83+
8084 # Default pcap packet filter. Used with zeek pcapfilter : 'ip or not ip'
8185 # If you want more important traffic and forget the multicast and broadcast
8286 # traffic, you can use
@@ -112,7 +116,7 @@ parameters:
112116 # label: malicious
113117 # label: unknown
114118 label : normal
115- # If Zeek files are rotated or not to avoid running out of disk.
119+ # determines if Zeek files are rotated or not to avoid running out of disk.
116120 # Zeek rotation is enabled by default when using an interface,
117121 # which means Slips will delete all Zeek log files after 1 day
118122 # of running
@@ -126,17 +130,16 @@ parameters:
126130 # Whitespace between the numeric constant and time unit is optional.
127131 # Appending the letter s to the time unit in order to
128132 # pluralize it is also optional
129- # rotation_period = 30min
130- # rotation_period = 2hr
131- # rotation_period = 30sec
132- rotation_period : 1day
133+ # default_rotation_interval: 30min
134+ # default_rotation_interval: 2hr
135+ default_rotation_interval : 30sec
136+ # default_rotation_interval : 1day
133137
134138 # How many days Slips keeps the rotated Zeek files before deleting them.
135139 # Value should be in days
136140 # set it to 0 day if you want to delete them immediately
137- # keep_rotated_files_for : 1 day
141+ # keep_rotated_files_for : 0 day
138142 # keep_rotated_files_for : 2 day
139- # keep_rotated_files_for : 3 day
140143 keep_rotated_files_for : 1 day
141144
142145 # How many minutes to wait for all modules to finish before killing them
@@ -201,9 +204,9 @@ modules:
201204 # List of modules to ignore. By default we always ignore the template,
202205 # do not remove it from the list
203206 # Add the names of other modules that you want to disable
204- # (they all should be lowercase with no special characters ). Example,
205- # threatintelligence , blocking, networkdiscovery , timeline, virustotal,
206- # rnnccdetection, flowmldetection, updatemanager
207+ # (use module snake_case names ). Example,
208+ # threat_intelligence , blocking, network_discovery , timeline, virustotal,
209+ # rnn_cc_detection, flow_ml_detection, update_manager
207210 disable : [template]
208211
209212 # For each line in timeline file there is a timestamp.
@@ -212,10 +215,10 @@ modules:
212215 timeline_human_timestamp : true
213216
214217# ############################
215- flowmldetection :
218+ flow_ml_detection :
216219 # This is a module that uses machine learning for detection.
217220 # It can be used in train mode or test mode.
218- # The mode 'train' should be used to tell the flowmldetection module
221+ # The mode 'train' should be used to tell the flow_ml_detection module
219222 # that the flows received are all for training.
220223 # A label should be provided in the [Parameters] section
221224 # mode : train
@@ -226,7 +229,7 @@ flowmldetection:
226229 mode : test
227230
228231# ############################
229- bruteforcing :
232+ brute_force_detector :
230233 # Minimum number of SSH attempts from one source to one destination
231234 # before Slips considers it brute forcing.
232235 ssh_attempt_threshold : 9
@@ -299,7 +302,7 @@ virustotal:
299302# ############################
300303threatintelligence :
301304
302- # By default, slips starts without the TI files, and runs the Update Manager
305+ # By default, slips starts without the TI files, and runs the update_manager
303306 # in the background. If this option is set to true, slips will not start
304307 # analyzing the flows until the update manager finished and all TI files are
305308 # loaded successfully.
@@ -325,7 +328,7 @@ threatintelligence:
325328 # The remote TI files will be temporaly stored in this directory
326329 download_path_for_remote_threat_intelligence : modules/threat_intelligence/remote_data_files/
327330
328- # Update period of Threat Intelligence files. How often should Slips update
331+ # Update period of threat_intelligence files. How often should Slips update
329332 # the IoCs.
330333 # The expected value is in seconds.
331334 # 1 day = 86400 seconds
@@ -389,8 +392,8 @@ whitelists:
389392 local_whitelist_path : config/whitelist.conf
390393
391394# ############################
392- flowalerts :
393- # For the flowalerts module
395+ flow_alerts :
396+ # For the flow_alerts module
394397 # We need a thrshold to determine a long connection in seconds.
395398 # In Slips by default is 25 minutes
396399 long_connection_threshold : 1500
@@ -487,7 +490,7 @@ exporting_alerts:
487490 taxii_timeout : 10
488491
489492# ############################
490- CESNET :
493+ cesnet :
491494 # Slips also supports exporting and importing evidence in the IDEA format to/from
492495 # warden servers of CESNET organization in Czech Republic.
493496 send_alerts : false
@@ -597,7 +600,7 @@ global_p2p:
597600 use_global_p2p : False
598601 iris_conf : config/iris_config.yaml
599602 bootstrapping_node : False
600- bootstrapping_modules : ["fidesModule ", "irisModule "]
603+ bootstrapping_modules : ["fides ", "iris "]
601604
602605# ############################
603606local_p2p :
0 commit comments