[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"similar-stratosphereips--StratosphereLinuxIPS":3,"tool-stratosphereips--StratosphereLinuxIPS":61},[4,18,26,36,44,53],{"id":5,"name":6,"github_repo":7,"description_zh":8,"stars":9,"difficulty_score":10,"last_commit_at":11,"category_tags":12,"status":17},4358,"openclaw","openclaw\u002Fopenclaw","OpenClaw 是一款专为个人打造的本地化 AI 助手，旨在让你在自己的设备上拥有完全可控的智能伙伴。它打破了传统 AI 助手局限于特定网页或应用的束缚，能够直接接入你日常使用的各类通讯渠道，包括微信、WhatsApp、Telegram、Discord、iMessage 等数十种平台。无论你在哪个聊天软件中发送消息，OpenClaw 都能即时响应，甚至支持在 macOS、iOS 和 Android 设备上进行语音交互，并提供实时的画布渲染功能供你操控。\n\n这款工具主要解决了用户对数据隐私、响应速度以及“始终在线”体验的需求。通过将 AI 部署在本地，用户无需依赖云端服务即可享受快速、私密的智能辅助，真正实现了“你的数据，你做主”。其独特的技术亮点在于强大的网关架构，将控制平面与核心助手分离，确保跨平台通信的流畅性与扩展性。\n\nOpenClaw 非常适合希望构建个性化工作流的技术爱好者、开发者，以及注重隐私保护且不愿被单一生态绑定的普通用户。只要具备基础的终端操作能力（支持 macOS、Linux 及 Windows WSL2），即可通过简单的命令行引导完成部署。如果你渴望拥有一个懂你",349277,3,"2026-04-06T06:32:30",[13,14,15,16],"Agent","开发框架","图像","数据工具","ready",{"id":19,"name":20,"github_repo":21,"description_zh":22,"stars":23,"difficulty_score":10,"last_commit_at":24,"category_tags":25,"status":17},3808,"stable-diffusion-webui","AUTOMATIC1111\u002Fstable-diffusion-webui","stable-diffusion-webui 是一个基于 Gradio 构建的网页版操作界面，旨在让用户能够轻松地在本地运行和使用强大的 Stable Diffusion 图像生成模型。它解决了原始模型依赖命令行、操作门槛高且功能分散的痛点，将复杂的 AI 绘图流程整合进一个直观易用的图形化平台。\n\n无论是希望快速上手的普通创作者、需要精细控制画面细节的设计师，还是想要深入探索模型潜力的开发者与研究人员，都能从中获益。其核心亮点在于极高的功能丰富度：不仅支持文生图、图生图、局部重绘（Inpainting）和外绘（Outpainting）等基础模式，还独创了注意力机制调整、提示词矩阵、负向提示词以及“高清修复”等高级功能。此外，它内置了 GFPGAN 和 CodeFormer 等人脸修复工具，支持多种神经网络放大算法，并允许用户通过插件系统无限扩展能力。即使是显存有限的设备，stable-diffusion-webui 也提供了相应的优化选项，让高质量的 AI 艺术创作变得触手可及。",162132,"2026-04-05T11:01:52",[14,15,13],{"id":27,"name":28,"github_repo":29,"description_zh":30,"stars":31,"difficulty_score":32,"last_commit_at":33,"category_tags":34,"status":17},1381,"everything-claude-code","affaan-m\u002Feverything-claude-code","everything-claude-code 是一套专为 AI 编程助手（如 Claude Code、Codex、Cursor 等）打造的高性能优化系统。它不仅仅是一组配置文件，而是一个经过长期实战打磨的完整框架，旨在解决 AI 代理在实际开发中面临的效率低下、记忆丢失、安全隐患及缺乏持续学习能力等核心痛点。\n\n通过引入技能模块化、直觉增强、记忆持久化机制以及内置的安全扫描功能，everything-claude-code 能显著提升 AI 在复杂任务中的表现，帮助开发者构建更稳定、更智能的生产级 AI 代理。其独特的“研究优先”开发理念和针对 Token 消耗的优化策略，使得模型响应更快、成本更低，同时有效防御潜在的攻击向量。\n\n这套工具特别适合软件开发者、AI 研究人员以及希望深度定制 AI 工作流的技术团队使用。无论您是在构建大型代码库，还是需要 AI 协助进行安全审计与自动化测试，everything-claude-code 都能提供强大的底层支持。作为一个曾荣获 Anthropic 黑客大奖的开源项目，它融合了多语言支持与丰富的实战钩子（hooks），让 AI 真正成长为懂上",157379,2,"2026-04-15T23:32:42",[14,13,35],"语言模型",{"id":37,"name":38,"github_repo":39,"description_zh":40,"stars":41,"difficulty_score":32,"last_commit_at":42,"category_tags":43,"status":17},2271,"ComfyUI","Comfy-Org\u002FComfyUI","ComfyUI 是一款功能强大且高度模块化的视觉 AI 引擎，专为设计和执行复杂的 Stable Diffusion 图像生成流程而打造。它摒弃了传统的代码编写模式，采用直观的节点式流程图界面，让用户通过连接不同的功能模块即可构建个性化的生成管线。\n\n这一设计巧妙解决了高级 AI 绘图工作流配置复杂、灵活性不足的痛点。用户无需具备编程背景，也能自由组合模型、调整参数并实时预览效果，轻松实现从基础文生图到多步骤高清修复等各类复杂任务。ComfyUI 拥有极佳的兼容性，不仅支持 Windows、macOS 和 Linux 全平台，还广泛适配 NVIDIA、AMD、Intel 及苹果 Silicon 等多种硬件架构，并率先支持 SDXL、Flux、SD3 等前沿模型。\n\n无论是希望深入探索算法潜力的研究人员和开发者，还是追求极致创作自由度的设计师与资深 AI 绘画爱好者，ComfyUI 都能提供强大的支持。其独特的模块化架构允许社区不断扩展新功能，使其成为当前最灵活、生态最丰富的开源扩散模型工具之一，帮助用户将创意高效转化为现实。",108322,"2026-04-10T11:39:34",[14,15,13],{"id":45,"name":46,"github_repo":47,"description_zh":48,"stars":49,"difficulty_score":32,"last_commit_at":50,"category_tags":51,"status":17},6121,"gemini-cli","google-gemini\u002Fgemini-cli","gemini-cli 是一款由谷歌推出的开源 AI 命令行工具，它将强大的 Gemini 大模型能力直接集成到用户的终端环境中。对于习惯在命令行工作的开发者而言，它提供了一条从输入提示词到获取模型响应的最短路径，无需切换窗口即可享受智能辅助。\n\n这款工具主要解决了开发过程中频繁上下文切换的痛点，让用户能在熟悉的终端界面内直接完成代码理解、生成、调试以及自动化运维任务。无论是查询大型代码库、根据草图生成应用，还是执行复杂的 Git 操作，gemini-cli 都能通过自然语言指令高效处理。\n\n它特别适合广大软件工程师、DevOps 人员及技术研究人员使用。其核心亮点包括支持高达 100 万 token 的超长上下文窗口，具备出色的逻辑推理能力；内置 Google 搜索、文件操作及 Shell 命令执行等实用工具；更独特的是，它支持 MCP（模型上下文协议），允许用户灵活扩展自定义集成，连接如图像生成等外部能力。此外，个人谷歌账号即可享受免费的额度支持，且项目基于 Apache 2.0 协议完全开源，是提升终端工作效率的理想助手。",100752,"2026-04-10T01:20:03",[52,13,15,14],"插件",{"id":54,"name":55,"github_repo":56,"description_zh":57,"stars":58,"difficulty_score":32,"last_commit_at":59,"category_tags":60,"status":17},4721,"markitdown","microsoft\u002Fmarkitdown","MarkItDown 是一款由微软 AutoGen 团队打造的轻量级 Python 工具，专为将各类文件高效转换为 Markdown 格式而设计。它支持 PDF、Word、Excel、PPT、图片（含 OCR）、音频（含语音转录）、HTML 乃至 YouTube 链接等多种格式的解析，能够精准提取文档中的标题、列表、表格和链接等关键结构信息。\n\n在人工智能应用日益普及的今天，大语言模型（LLM）虽擅长处理文本，却难以直接读取复杂的二进制办公文档。MarkItDown 恰好解决了这一痛点，它将非结构化或半结构化的文件转化为模型“原生理解”且 Token 效率极高的 Markdown 格式，成为连接本地文件与 AI 分析 pipeline 的理想桥梁。此外，它还提供了 MCP（模型上下文协议）服务器，可无缝集成到 Claude Desktop 等 LLM 应用中。\n\n这款工具特别适合开发者、数据科学家及 AI 研究人员使用，尤其是那些需要构建文档检索增强生成（RAG）系统、进行批量文本分析或希望让 AI 助手直接“阅读”本地文件的用户。虽然生成的内容也具备一定可读性，但其核心优势在于为机器",93400,"2026-04-06T19:52:38",[52,14],{"id":62,"github_repo":63,"name":64,"description_en":65,"description_zh":66,"ai_summary_zh":66,"readme_en":67,"readme_zh":68,"quickstart_zh":69,"use_case_zh":70,"hero_image_url":71,"owner_login":72,"owner_name":73,"owner_avatar_url":74,"owner_bio":75,"owner_company":76,"owner_location":76,"owner_email":76,"owner_twitter":77,"owner_website":78,"owner_url":79,"languages":80,"stars":118,"forks":119,"last_commit_at":120,"license":121,"difficulty_score":10,"env_os":122,"env_gpu":123,"env_ram":124,"env_deps":125,"category_tags":131,"github_topics":132,"view_count":32,"oss_zip_url":76,"oss_zip_packed_at":76,"status":17,"created_at":148,"updated_at":149,"faqs":150,"releases":180},8055,"stratosphereips\u002FStratosphereLinuxIPS","StratosphereLinuxIPS","Slips, a free software behavioral Python intrusion prevention system (IDS\u002FIPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.","StratosphereLinuxIPS（简称 Slips）是一款基于行为分析和机器学习的开源入侵检测与防御系统。它专为保护网络端点而设计，能够实时分析网络流量、PCAP 文件以及来自 Suricata、Zeek 等主流工具的网络流数据，精准识别潜在的恶意行为。\n\n在传统安全工具往往依赖已知特征库进行匹配的背景下，Slips 有效解决了未知威胁和高级持续性威胁难以被发现的问题。它不单纯依赖签名，而是通过结合四十多个威胁情报源、专家启发式规则以及经过大量训练的机器学习模型，综合评估网络行为。只有当收集到的恶意证据达到特定阈值时，系统才会触发警报，从而大幅降低误报率。\n\n这款工具非常适合网络安全研究人员、系统管理员以及希望深入理解网络威胁行为的安全开发者使用。其独特的技术亮点在于作为首款免费的行为型机器学习端点防护系统，它能够从复杂的网络交互中学习正常与异常模式，主动发现隐蔽的攻击痕迹。无论是用于学术研究还是实际的生产环境防御，Slips 都提供了一个强大且灵活的解决方案，帮助用户构建更智能的网络安全防线。","\u003Ch1 align=\"center\">\nSlips v1.1.19\n\u003C\u002Fh1>\n\n\n[![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-GPLv2-blue)](.\u002FLICENSE)\n[![GitHub version](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Ftag\u002Fstratosphereips\u002FStratosphereLinuxIPS?label=version)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.8-blue)\n![GitHub language count](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flanguages\u002Fcount\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![GitHub repository size](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frepo-size\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![Docker Image Size (tag)](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fimage-size\u002Fstratosphereips\u002Fslips\u002Flatest?color=blue&label=docker%20image%20size)\n![Docker Pulls](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fstratosphereips\u002Fslips)\n\n[![GitHub issues](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues\u002Fstratosphereips\u002FStratosphereLinuxIPS.svg?color=green)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F)\n[![GitHub issues-closed](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-closed\u002Fstratosphereips\u002FStratosphereLinuxIPS.svg?color=green)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues?q=is%3Aissue+is%3Aclosed)\n[![GitHub open-pull-requests](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-pr-raw\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=green&label=open%20PRs)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fpulls?q=is%3Aopen)\n[![GitHub pull-requests closed](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-pr-closed-raw\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=green&label=closed%20PRs)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fpulls?q=is%3Aclosed)\n[![GitHub contributors](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fcontributors\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fcontributors\u002F)\n![GitHub forks](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)\n![GitHub Org's stars](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)\n[![GitHub watchers](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fwatchers\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fwatchers\u002F)\n\n[![License](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FBlog-Stratosphere-cyan)](https:\u002F\u002Fwww.stratosphereips.org\u002Fblog\u002Ftag\u002Fslips)\n[![Discord](https:\u002F\u002Fimg.shields.io\u002Fdiscord\u002F761894295376494603?label=&logo=discord&logoColor=ffffff&color=7389D8&labelColor=6A7EC2)](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C)\n![Twitter Follow](https:\u002F\u002Fimg.shields.io\u002Ftwitter\u002Ffollow\u002FStratosphereIPS?style=social)\n\n\u003Chr>\n\n\n# Table of Contents\n\n- [Introduction](#introduction)\n- [Usage](#usage)\n- [GUI](#graphical-user-interface)\n- [Requirements](#requirements)\n- [Installation](#installation)\n- [Configuration](#configuration)\n- [Features](#features)\n- [Contributing](#contributing)\n- [Documentation](#documentation)\n- [Troubleshooting](#troubleshooting)\n- [License](#license)\n- [Credits](#credits)\n- [Changelog](#changelog)\n- [Roadmap](#roadmap)\n- [Demos](#demos)\n- [Funding](#funding)\n\n\n# Slips: Behavioral Machine Learning-Based Intrusion Prevention System\n\n\nSlips is a powerful endpoint behavioral intrusion prevention and detection system that uses machine learning to detect malicious behaviors in network traffic. Slips can work with network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek\u002FBro, and Argus. Slips threat detection is based on a combination of machine learning models trained to detect malicious behaviors, 40+ threat intelligence feeds, and expert heuristics. Slips gathers evidence of malicious behavior and uses extensively trained thresholds to trigger alerts when enough evidence is accumulated.\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_431acb5cfb6a.gif\" width=\"850px\" title=\"Slips in action.\">\n\n---\n\n\n# Introduction\nSlips is the first free software behavioral machine learning-based IDS\u002FIPS for endpoints. It was created in 2012 by Sebastian Garcia at the Stratosphere Laboratory, AIC, FEE, Czech Technical University in Prague. The goal was to offer a local IDS\u002FIPS that leverages machine learning to detect network attacks using behavioral analysis.\n\n\nSlips is supported on Linux, MacOS, and windows dockers only. The blocking features of Slips are only supported on Linux\n\nSlips is Python-based and relies on [Zeek network analysis framework](https:\u002F\u002Fzeek.org\u002Fget-zeek\u002F) for capturing live traffic and analyzing PCAPs. and relies on\nRedis >= 7.0.4 for interprocess communication.\n\n---\n\n# Usage\n\nThe recommended way to use Slips is on Docker.\n\n#### Linux and Windows hosts\n```\ndocker run --rm -it -p 55000:55000  --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --net=host --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips:latest\n```\n\n```\n.\u002Fslips.py -f dataset\u002Ftest7-malicious.pcap -o output_dir\n```\n\n```\ncat output_dir\u002Falerts.log\n```\n\n#### Macos\nIn MacOS, do not use --net=host if you want to access the internal container's ports from the host.\n\n```\ndocker run --rm -it -p 55000:55000 --platform linux\u002Famd64 --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips_macos_m1:latest\n```\n\n```\n.\u002Fslips.py -f dataset\u002Ftest7-malicious.pcap -o output_dir\n```\n\n```\ncat output_dir\u002Falerts.log\n```\n\n\n[For more installation options](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installation)\n\n[For a detailed explanation of Slips parameters](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#slips-parameters)\n\n---\n\n\n# Graphical User Interface\n\nTo check Slips output using a GUI you can use the web interface\nor our command-line based interface Kalipso\n\n##### Web interface\n\n    .\u002Fwebinterface.sh\n\nThen navigate to ```http:\u002F\u002Flocalhost:55000\u002F``` from your browser.\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_07c6001c378f.png\" width=\"850px\">\n\nFor more info about the web interface, check the docs: https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#the-web-interface\n\n\n##### Kalipso (CLI-Interface)\n\n    .\u002Fkalipso.sh\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_055f66a8fc61.png\" width=\"850px\">\n\n\nFor more info about the Kalipso interface, check the docs: https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#kalipso\n\n---\n\n\n# Requirements\n\nSlips requires Python 3.10.12 and at least 4 GBs of RAM to run smoothly.\n\n---\n\n# Installation\n\n\nSlips can be run on different platforms, the easiest and most recommended way if you're a Linux user is to run Slips on Docker.\n\n* [Docker](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#slips-in-docker)\n  * Dockerhub (recommended)\n    * [Linux and windows hosts](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#linux-and-windows-hosts)\n    * [MacOS hosts](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#macos-hosts)\n  * [Docker-compose](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#running-slips-using-docker-compose)\n  * [Dockerfile](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#building-slips-from-the-dockerfile)\n* Native\n  * [Using install.sh](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#install-slips-using-shell-script)\n  * [Manually](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installing-slips-manually)\n* [on RPI (Beta)](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installing-slips-on-a-raspberry-pi)\n\n\n---\n\n\n# Configuration\nSlips has a [config\u002Fslips.yaml](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fdevelop\u002Fconfig\u002Fslips.yaml) that contains user configurations for different modules and general execution.\n\n* You can change the timewindow width by modifying the ```time_window_width``` parameter\n* You can change the analysis direction to ```all```  if you want to see the attacks from and to your computer\n* You can also specify whether to ```train``` or ```test``` the ML models\n\n* You can enable [popup notifications](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#popup-notifications) of evidence, enable [blocking](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#slips-permissions), [plug in your own zeek script](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#plug-in-a-zeek-script) and more.\n\n\n[More details about the config file options here]( https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#modifying-the-configuration-file)\n\n---\n\n# Features\nSlips key features are:\n\n* **Behavioral Intrusion Prevention**: Slips acts as a powerful system to prevent intrusions based on detecting malicious behaviors in network traffic using machine learning.\n* **Modularity**: Slips is written in Python and is highly modular with different modules performing specific detections in the network traffic.\n* **Targeted Attacks and Command & Control Detection**: It places a strong emphasis on identifying targeted attacks and command and control channels in network traffic.\n* **Traffic Analysis Flexibility**: Slips can analyze network traffic in real-time, PCAP files, and network flows from popular tools like Suricata, Zeek\u002FBro, and Argus.\n* **Threat Intelligence Updates**: Slips continuously updates threat intelligence files and databases, providing relevant detections as updates occur.\n* **HTTPS Anomaly Detection**: Adaptive TLS\u002FHTTPS anomaly detection with drift handling and a local HTML report generator for deep dives.\n* **Integration with External Platforms**: Modules in Slips can look up IP addresses on external platforms such as VirusTotal and RiskIQ.\n* **Graphical User Interface**: Slips provides a console graphical user interface (Kalipso) and a web interface for displaying detection with graphs and tables.\n* **Peer-to-Peer (P2P) Module**: Slips includes a complex automatic system to find other peers in the network and share IoC data automatically in a balanced, trusted manner. The P2P module can be enabled as needed.\n* **Docker Implementation**: Running Slips through Docker on Linux systems is simplified, allowing real-time traffic analysis.\n* **Detailed Documentation**: Slips provides detailed documentation guiding users through usage instructions for efficient utilization of its features.\n* **Federated learning** Using the feel_project submodule. for more information [check the docs](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002Ffeel_project\u002Fblob\u002Fmain\u002Fdocs\u002FFederated_Learning.md)\n\n---\n\n# Contributing\n\nWe welcome contributions to improve the functionality and features of Slips.\n\nPlease read carefully the [contributing guidelines](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcontributing.html) for contributing to the development of Slips\n\nYou can run Slips and report bugs, make feature requests, and suggest ideas, open a pull request with a solved GitHub issue and new feature, or open a pull request with a new detection module.\n\nThe instructions to create a new detection module along with a template [here](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcreate_new_module.html).\n\nIf you are a student, we encourage you to apply for the Google Summer of Code program that we participate in as a hosting organization.\n\nCheck [Slips in GSoC2023](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FGoogle-Summer-of-Code-2023) for more information.\n\n\nYou can [join our conversations in Discord](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C) for questions and discussions.\nWe appreciate your contributions and thank you for helping to improve Slips!\n\n---\n\n# Documentation\n[User documentation](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002F)\n\n[Code docs](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcode_documentation.html )\n\n---\n\n# Troubleshooting\n\nIf you can't listen to an interface without sudo, foe example when zeek is throwing the following error:\n```bash\nfatal error: problem with interface wlan0 (pcap_error: socket: Operation not permitted (pcap_activate))\n```\n\nyou can adjust zeek capabilities using the following command\n\n```\nsudo setcap cap_net_raw,cap_net_admin=eip \u002F\u003Cpath-to-zeek-bin\u002Fzeek\n```\n\n\n---\n\nYou can [join our conversations in Discord](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C) for questions and discussions.\n\nOr email us at\n* sebastian.garcia@agents.fel.cvut.cz\n* eldraco@gmail.com,\n* alyaggomaa@gmail.com\n\n---\n\n# License\n\n [GNU General Public License](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fmaster\u002FLICENCE)\n\n---\n\n\n# Credits\n\nFounder: [Sebastian Garcia](https:\u002F\u002Fgithub.com\u002Feldraco), sebastian.garcia@agents.fel.cvut.cz, eldraco@gmail.com.\n\nMain authors: [Sebastian Garcia](https:\u002F\u002Fgithub.com\u002Feldraco), [Alya Gomaa](https:\u002F\u002Fgithub.com\u002FAlyaGomaa), [Kamila Babayeva](https:\u002F\u002Fgithub.com\u002Fkamilababayeva)\n\nContributors:\n\n* [Veronica Valeros](https:\u002F\u002Fgithub.com\u002Fverovaleros)\n* [Frantisek Strasak](https:\u002F\u002Fgithub.com\u002Ffrenky-strasak)\n* [Dita Hollmannova](https:\u002F\u002Fgithub.com\u002Fdraliii)\n* [Ondrej Lukas](https:\u002F\u002Fgithub.com\u002Fondrej-lukas)\n* Elaheh Biglar Beigi\n* [Martin Řepa](https:\u002F\u002Fgithub.com\u002FHappyStoic)\n* [arkamar](https:\u002F\u002Fgithub.com\u002Farkamar)\n* [Maria Rigaki](https:\u002F\u002Fgithub.com\u002FMariaRigaki)\n* [Lukas Forst](https:\u002F\u002Fgithub.com\u002FLukasForst)\n* [Daniel Yang](https:\u002F\u002Fgithub.com\u002Fdanieltherealyang)\n\n---\n\n\n# Changelog\n\nhttps:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fdevelop\u002FCHANGELOG.md\n\n\n---\n\n# Demos\nThe following videos contain demos of Slips in action in various events:\n\n- 2022 BlackHat Europe Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [[web](https:\u002F\u002Fwww.blackhat.com\u002Feu-22\u002Farsenal\u002Fschedule\u002Findex.html#slips-free-software-machine-learning-tool-for-network-intrusion-prevention-system-29599)]\n- 2022 BlackHat USA Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [[web](https:\u002F\u002Fwww.blackhat.com\u002Fus-22\u002Farsenal\u002Fschedule\u002Findex.html#slips-free-software-machine-learning-tool-for-network-intrusion-prevention-system-26687)]\n- 2021 BlackHat Europe Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [[slides](https:\u002F\u002Fmega.nz\u002Ffile\u002FEAIjWA5D#DoYhJknH1hpbqfS2ayVLwA7ewNT50jFQb7S3dVAKPko)] [[web](https:\u002F\u002Fwww.blackhat.com\u002Feu-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-25116)]\n- 2021 BlackHat USA Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [[web](https:\u002F\u002Fwww.blackhat.com\u002Fus-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-24105)]\n- 2021 BlackHat Asia Arsenal, Slips: A Machine-Learning Based, Free-Software, Network Intrusion Prevention System [[web](https:\u002F\u002Fwww.blackhat.com\u002Fasia-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-22576)]\n- 2020 Hack In The Box CyberWeek, Android RATs Detection With A Machine Learning-Based Python IDS [[video](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=wx0V3qWdmyk)]\n- 2019 OpenAlt, Fantastic Attacks and How Kalipso can Find Them [[video](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=p2FL2sECpS0&t=1s)]\n- 2016 Ekoparty, Stratosphere IPS. The free machine learning malware detection [[video](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=IazEdK8R4YI)]\n\n---\n\n# Funding\nWe are grateful for the generous support and funding provided by the following organizations:\n\n\n- NlNet Foundation, https:\u002F\u002Fnlnet.nl\u002F\n\nThis project is funded through [NGI0 Entrust](https:\u002F\u002Fnlnet.nl\u002Fentrust), a fund established by [NLnet](https:\u002F\u002Fnlnet.nl) with financial support from the European Commission's [Next Generation Internet](https:\u002F\u002Fngi.eu) program. Learn more at the [NLnet project page](https:\u002F\u002Fnlnet.nl\u002Fproject\u002FIris-P2P).\n\n[\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_2ec0c5d1971c.png\" alt=\"NLnet foundation logo\" width=\"20%\" \u002F>](https:\u002F\u002Fnlnet.nl)\n[\u003Cimg src=\"https:\u002F\u002Fnlnet.nl\u002Fimage\u002Flogos\u002FNGI0_tag.svg\" alt=\"NGI Zero Logo\" width=\"20%\" \u002F>](https:\u002F\u002Fnlnet.nl\u002Fentrust)\n\n\n- Artificial Intelligence Centre at the Czech Technical University in Prague, https:\u002F\u002Fwww.aic.fel.cvut.cz\u002F\n- Avast, https:\u002F\u002Fwww.avast.com\u002F\n- CESNET, https:\u002F\u002Fwww.cesnet.cz\u002F\n- Google Summer of Code (2023, 2024), https:\u002F\u002Fsummerofcode.withgoogle.com\u002F\n\nTheir funding has played a crucial role in the development and success of this project.\nWe sincerely appreciate their commitment to advancing technology and their recognition of\nthe value Slips brings to the community.\n","\u003Ch1 align=\"center\">\nSlips v1.1.19\n\u003C\u002Fh1>\n\n\n[![许可证](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-GPLv2-blue)](.\u002FLICENSE)\n[![GitHub版本](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Ftag\u002Fstratosphereips\u002FStratosphereLinuxIPS?label=version)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![Python](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Fpython-3.8-blue)\n![GitHub语言数量](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Flanguages\u002Fcount\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![GitHub仓库大小](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Frepo-size\u002Fstratosphereips\u002FStratosphereLinuxIPS)\n![Docker镜像大小（标签）](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fimage-size\u002Fstratosphereips\u002Fslips\u002Flatest?color=blue&label=docker%20image%20size)\n![Docker拉取次数](https:\u002F\u002Fimg.shields.io\u002Fdocker\u002Fpulls\u002Fstratosphereips\u002Fslips)\n\n[![GitHub问题](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues\u002Fstratosphereips\u002FStratosphereLinuxIPS.svg?color=green)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F)\n[![GitHub已关闭的问题](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-closed\u002Fstratosphereips\u002FStratosphereLinuxIPS.svg?color=green)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues?q=is%3Aissue+is%3Aclosed)\n[![GitHub开放的Pull请求](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-pr-raw\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=green&label=open%20PRs)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fpulls?q=is%3Aopen)\n[![GitHub已关闭的Pull请求](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fissues-pr-closed-raw\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=green&label=closed%20PRs)](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fpulls?q=is%3Aclosed)\n[![GitHub贡献者](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fcontributors\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fcontributors\u002F)\n![GitHub复刻数](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fforks\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)\n![GitHub组织的星标数](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fstars\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)\n[![GitHub关注者](https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fwatchers\u002Fstratosphereips\u002FStratosphereLinuxIPS?color=orange)](https:\u002F\u002FGitHub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fwatchers\u002F)\n\n[![许可证](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FBlog-Stratosphere-cyan)](https:\u002F\u002Fwww.stratosphereips.org\u002Fblog\u002Ftag\u002Fslips)\n[![Discord](https:\u002F\u002Fimg.shields.io\u002Fdiscord\u002F761894295376494603?label=&logo=discord&logoColor=ffffff&color=7389D8&labelColor=6A7EC2)](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C)\n![Twitter关注](https:\u002F\u002Fimg.shields.io\u002Ftwitter\u002Ffollow\u002FStratosphereIPS?style=social)\n\n\u003Chr>\n\n\n# 目录\n\n- [简介](#introduction)\n- [使用方法](#usage)\n- [图形用户界面](#graphical-user-interface)\n- [系统要求](#requirements)\n- [安装](#installation)\n- [配置](#configuration)\n- [功能特性](#features)\n- [贡献](#contributing)\n- [文档](#documentation)\n- [故障排除](#troubleshooting)\n- [许可证](#license)\n- [致谢](#credits)\n- [更新日志](#changelog)\n- [路线图](#roadmap)\n- [演示](#demos)\n- [资金支持](#funding)\n\n\n# Slips：基于行为机器学习的入侵防御系统\n\n\nSlips是一款强大的端点行为入侵检测与防御系统，利用机器学习技术来识别网络流量中的恶意行为。Slips能够实时处理网络流量、PCAP文件以及来自Suricata、Zeek\u002FBro和Argus等流行工具的网络流数据。其威胁检测基于经过训练的机器学习模型、40多个威胁情报源以及专家启发式规则的结合。Slips会收集恶意行为的证据，并在积累足够证据时触发警报。\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_431acb5cfb6a.gif\" width=\"850px\" title=\"Slips运行中。\">\n\n---\n\n\n# 简介\nSlips是首个面向端点的免费软件行为机器学习IDS\u002FIPS。它由塞巴斯蒂安·加西亚于2012年在布拉格捷克理工大学AIC FEE的Stratosphere实验室开发。其目标是提供一种本地IDS\u002FIPS，利用机器学习通过行为分析来检测网络攻击。\n\n\nSlips目前仅支持Linux、MacOS和Windows上的Docker容器。其中，Slips的阻断功能仅在Linux上可用。\n\nSlips基于Python开发，并依赖[Zeek网络分析框架](https:\u002F\u002Fzeek.org\u002Fget-zeek\u002F)来捕获实时流量和分析PCAP文件，同时依赖Redis >= 7.0.4进行进程间通信。\n\n---\n\n# 使用方法\n\n推荐使用Docker来运行Slips。\n\n#### Linux和Windows主机\n```\ndocker run --rm -it -p 55000:55000  --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --net=host --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips:latest\n```\n\n```\n.\u002Fslips.py -f dataset\u002Ftest7-malicious.pcap -o output_dir\n```\n\n```\ncat output_dir\u002Falerts.log\n```\n\n#### MacOS\n在MacOS中，如果希望从主机访问容器内部的端口，请勿使用--net=host选项。\n\n```\ndocker run --rm -it -p 55000:55000 --platform linux\u002Famd64 --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips_macos_m1:latest\n```\n\n```\n.\u002Fslips.py -f dataset\u002Ftest7-malicious.pcap -o output_dir\n```\n\n```\ncat output_dir\u002Falerts.log\n```\n\n\n[更多安装选项](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installation)\n\n[关于Slips参数的详细说明](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#slips-parameters)\n\n---\n\n\n# 图形用户界面\n\n要通过GUI查看Slips的输出，可以使用Web界面或我们的命令行界面Kalipso。\n\n##### Web界面\n\n    .\u002Fwebinterface.sh\n\n然后在浏览器中访问 ```http:\u002F\u002Flocalhost:55000\u002F```。\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_07c6001c378f.png\" width=\"850px\">\n\n有关Web界面的更多信息，请参阅文档：https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#the-web-interface\n\n\n##### Kalipso（CLI界面）\n\n    .\u002Fkalipso.sh\n\n\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_055f66a8fc61.png\" width=\"850px\">\n\n\n有关Kalipso界面的更多信息，请参阅文档：https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#kalipso\n\n---\n\n\n# 系统要求\n\nSlips需要Python 3.10.12以及至少4GB内存才能流畅运行。\n\n---\n\n# 安装\n\n\nSlips 可以在不同平台上运行，对于 Linux 用户来说，最简单且推荐的方式是在 Docker 中运行 Slips。\n\n* [Docker](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#slips-in-docker)\n  * Dockerhub（推荐）\n    * [Linux 和 Windows 主机](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#linux-and-windows-hosts)\n    * [MacOS 主机](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#macos-hosts)\n  * [Docker-compose](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#running-slips-using-docker-compose)\n  * [Dockerfile](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#building-slips-from-the-dockerfile)\n* 原生安装\n  * [使用 install.sh 脚本](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#install-slips-using-shell-script)\n  * [手动安装](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installing-slips-manually)\n* [在 RPI 上安装（测试版）](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Finstallation.html#installing-slips-on-a-raspberry-pi)\n\n\n---\n\n\n# 配置\nSlips 拥有一个 [config\u002Fslips.yaml](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fdevelop\u002Fconfig\u002Fslips.yaml)，其中包含了针对不同模块及整体运行的用户配置。\n\n* 你可以通过修改 ```time_window_width``` 参数来调整时间窗口宽度。\n* 如果你想查看来自和发送到你计算机的攻击，可以将分析方向设置为 ```all```。\n* 你还可以指定是使用机器学习模型进行 ```train``` 还是 ```test```。\n\n* 你可以启用证据的 [弹出通知](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#popup-notifications)，启用 [阻断功能](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#slips-permissions)，[插入你自己的 Zeek 脚本](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#plug-in-a-zeek-script) 等等。\n\n\n[关于配置文件选项的更多详细信息请见此处]( https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fusage.html#modifying-the-configuration-file)\n\n---\n\n# 特性\nSlips 的主要特性包括：\n\n* **行为型入侵防御**：Slips 是一个强大的系统，能够基于机器学习检测网络流量中的恶意行为，从而有效预防入侵。\n* **模块化**：Slips 使用 Python 编写，具有高度模块化的设计，不同的模块负责在网络流量中执行特定的检测任务。\n* **针对性攻击与命令控制通道检测**：它特别注重识别网络流量中的针对性攻击以及命令控制通道。\n* **流量分析灵活性**：Slips 可以实时分析网络流量、PCAP 文件，以及来自 Suricata、Zeek\u002FBro 和 Argus 等流行工具的网络流。\n* **威胁情报更新**：Slips 会持续更新威胁情报文件和数据库，在有新情报时提供相关的检测结果。\n* **HTTPS 异常检测**：具备自适应的 TLS\u002FHTTPS 异常检测功能，并能处理漂移问题，同时提供本地 HTML 报告生成器以便深入分析。\n* **与外部平台集成**：Slips 中的模块可以查询 VirusTotal 和 RiskIQ 等外部平台上的 IP 地址。\n* **图形用户界面**：Slips 提供一个控制台图形用户界面（Kalipso）以及一个 Web 界面，用于以图表和表格形式展示检测结果。\n* **点对点（P2P）模块**：Slips 内置了一个复杂的自动系统，能够在网络中查找其他节点，并以平衡、可信的方式自动共享 IoC 数据。P2P 模块可根据需要启用。\n* **Docker 实现**：在 Linux 系统上通过 Docker 运行 Slips 可以简化操作，实现对实时流量的分析。\n* **详尽的文档**：Slips 提供了详细的文档，指导用户高效地使用其各项功能。\n* **联邦学习**：通过 feel_project 子模块实现。更多信息请参阅 [文档](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002Ffeel_project\u002Fblob\u002Fmain\u002Fdocs\u002FFederated_Learning.md)。\n\n---\n\n# 贡献\n我们欢迎各位为改进 Slips 的功能和特性做出贡献。\n\n请仔细阅读 [贡献指南](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcontributing.html)，了解如何参与 Slips 的开发。\n\n你可以运行 Slips 并报告 bug、提出功能请求或建议想法；也可以针对已解决的 GitHub 问题提交包含新功能的拉取请求，或者提交包含新检测模块的拉取请求。\n\n创建新检测模块的说明及模板请参见 [此处](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcreate_new_module.html)。\n\n如果你是学生，我们鼓励你申请 Google Summer of Code 计划，我们作为主办机构参与其中。\n\n更多信息请参阅 [Slips 在 GSoC2023 中的情况](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FGoogle-Summer-of-Code-2023)。\n\n如有疑问或想讨论相关话题，欢迎加入我们的 Discord 社区：[discord.gg\u002Fzu5HwMFy5C](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C)。\n\n我们非常感谢你的贡献，并期待你帮助我们不断改进 Slips！\n\n---\n\n# 文档\n[用户文档](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002F)\n\n[代码文档](https:\u002F\u002Fstratospherelinuxips.readthedocs.io\u002Fen\u002Fdevelop\u002Fcode_documentation.html )\n\n---\n\n# 故障排除\n\n如果你无法在没有 sudo 权限的情况下监听某个接口，例如当 Zeek 抛出以下错误时：\n```bash\nfatal error: problem with interface wlan0 (pcap_error: socket: Operation not permitted (pcap_activate))\n```\n\n你可以使用以下命令调整 Zeek 的权限：\n\n```\nsudo setcap cap_net_raw,cap_net_admin=eip \u002F\u003Cpath-to-zeek-bin\u002Fzeek\n```\n\n\n---\n\n如需咨询或讨论，欢迎加入我们的 Discord 社区：[discord.gg\u002Fzu5HwMFy5C](https:\u002F\u002Fdiscord.gg\u002Fzu5HwMFy5C)。\n\n你也可以通过以下邮箱联系我们：\n* sebastian.garcia@agents.fel.cvut.cz\n* eldraco@gmail.com,\n* alyaggomaa@gmail.com\n\n---\n\n# 许可证\n\n[GNU 通用公共许可证](https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fmaster\u002FLICENCE)\n\n---\n\n\n# 致谢\n\n创始人：[Sebastian Garcia](https:\u002F\u002Fgithub.com\u002Feldraco)，sebastian.garcia@agents.fel.cvut.cz，eldraco@gmail.com。\n\n主要作者：[Sebastian Garcia](https:\u002F\u002Fgithub.com\u002Feldraco)，[Alya Gomaa](https:\u002F\u002Fgithub.com\u002FAlyaGomaa)，[Kamila Babayeva](https:\u002F\u002Fgithub.com\u002Fkamilababayeva)。\n\n贡献者：\n\n* [Veronica Valeros](https:\u002F\u002Fgithub.com\u002Fverovaleros)\n* [Frantisek Strasak](https:\u002F\u002Fgithub.com\u002Ffrenky-strasak)\n* [Dita Hollmannova](https:\u002F\u002Fgithub.com\u002Fdraliii)\n* [Ondrej Lukas](https:\u002F\u002Fgithub.com\u002Fondrej-lukas)\n* Elaheh Biglar Beigi\n* [Martin Řepa](https:\u002F\u002Fgithub.com\u002FHappyStoic)\n* [arkamar](https:\u002F\u002Fgithub.com\u002Farkamar)\n* [Maria Rigaki](https:\u002F\u002Fgithub.com\u002FMariaRigaki)\n* [Lukas Forst](https:\u002F\u002Fgithub.com\u002FLukasForst)\n* [Daniel Yang](https:\u002F\u002Fgithub.com\u002Fdanieltherealyang)\n\n---\n\n\n# 更改日志\n\nhttps:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fblob\u002Fdevelop\u002FCHANGELOG.md\n\n\n---\n\n# 演示\n以下视频展示了 Slips 在不同活动中的实际演示：\n\n- 2022 年 BlackHat 欧洲站 Arsenal，Slips：基于机器学习的免费开源网络入侵防御系统 [[网页](https:\u002F\u002Fwww.blackhat.com\u002Feu-22\u002Farsenal\u002Fschedule\u002Findex.html#slips-free-software-machine-learning-tool-for-network-intrusion-prevention-system-29599)]\n- 2022 年 BlackHat 美国站 Arsenal，Slips：基于机器学习的免费开源网络入侵防御系统 [[网页](https:\u002F\u002Fwww.blackhat.com\u002Fus-22\u002Farsenal\u002Fschedule\u002Findex.html#slips-free-software-machine-learning-tool-for-network-intrusion-prevention-system-26687)]\n- 2021 年 BlackHat 欧洲站 Arsenal，Slips：基于机器学习的免费开源网络入侵防御系统 [[幻灯片](https:\u002F\u002Fmega.nz\u002Ffile\u002FEAIjWA5D#DoYhJknH1hpbqfS2ayVLwA7ewNT50jFQb7S3dVAKPko)] [[网页](https:\u002F\u002Fwww.blackhat.com\u002Feu-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-25116)]\n- 2021 年 BlackHat 美国站 Arsenal，Slips：基于机器学习的免费开源网络入侵防御系统 [[网页](https:\u002F\u002Fwww.blackhat.com\u002Fus-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-24105)]\n- 2021 年 BlackHat 亚洲站 Arsenal，Slips：基于机器学习的免费开源网络入侵防御系统 [[网页](https:\u002F\u002Fwww.blackhat.com\u002Fasia-21\u002Farsenal\u002Fschedule\u002F#slips-a-machine-learning-based-free-software-network-intrusion-prevention-system-22576)]\n- 2020 年 Hack In The Box CyberWeek，基于机器学习的 Python IDS 检测 Android 远控木马 [[视频](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=wx0V3qWdmyk)]\n- 2019 年 OpenAlt，精彩攻击及其如何被 Kalipso 发现 [[视频](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=p2FL2sECpS0&t=1s)]\n- 2016 年 Ekoparty，Stratosphere IPS：免费的机器学习恶意软件检测 [[视频](https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=IazEdK8R4YI)]\n\n---\n\n# 资助\n我们衷心感谢以下机构提供的慷慨支持与资助：\n\n\n- NlNet 基金会，https:\u002F\u002Fnlnet.nl\u002F\n\n本项目由 [NGI0 Entrust](https:\u002F\u002Fnlnet.nl\u002Fentrust) 资助，该基金由 [NLnet](https:\u002F\u002Fnlnet.nl) 设立，并得到欧盟委员会 [下一代互联网](https:\u002F\u002Fngi.eu) 计划的资金支持。更多信息请访问 [NLnet 项目页面](https:\u002F\u002Fnlnet.nl\u002Fproject\u002FIris-P2P)。\n\n[\u003Cimg src=\"https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_readme_2ec0c5d1971c.png\" alt=\"NLnet 基金会 logo\" width=\"20%\" \u002F>](https:\u002F\u002Fnlnet.nl)\n[\u003Cimg src=\"https:\u002F\u002Fnlnet.nl\u002Fimage\u002Flogos\u002FNGI0_tag.svg\" alt=\"NGI Zero Logo\" width=\"20%\" \u002F>](https:\u002F\u002Fnlnet.nl\u002Fentrust)\n\n\n- 布拉格捷克理工大学人工智能中心，https:\u002F\u002Fwww.aic.fel.cvut.cz\u002F\n- Avast，https:\u002F\u002Fwww.avast.com\u002F\n- CESNET，https:\u002F\u002Fwww.cesnet.cz\u002F\n- Google 夏季编程之夏（2023 年、2024 年），https:\u002F\u002Fsummerofcode.withgoogle.com\u002F\n\n这些机构的资助对本项目的开发与成功起到了至关重要的作用。我们由衷地感谢他们对技术进步的承诺，以及对 Slips 为社区所带来的价值的认可。","# StratosphereLinuxIPS (Slips) 快速上手指南\n\nSlips 是一款基于行为机器学习的开源入侵防御系统（IPS），能够实时分析网络流量、PCAP 文件及主流工具（如 Zeek、Suricata）生成的流数据，以检测恶意行为和命令与控制（C2）通道。\n\n## 环境准备\n\n### 系统要求\n*   **操作系统**：Linux、macOS 或 Windows（需通过 Docker 运行）。\n    *   *注意：流量阻断功能仅在 Linux 上受支持。*\n*   **内存**：至少 4 GB RAM（推荐 8 GB 以获得流畅体验）。\n*   **架构**：x86_64 或 ARM64 (Mac M1\u002FM2)。\n\n### 前置依赖\n*   **Docker**：推荐使用 Docker 运行，可避免复杂的环境配置。\n*   **Python**：若选择原生安装，需 Python 3.10.12+。\n*   **Redis**：若选择原生安装，需 Redis >= 7.0.4。\n\n> **提示**：国内用户若遇到 Docker 镜像拉取缓慢，建议配置 Docker 国内镜像加速器。\n\n## 安装步骤\n\n推荐使用 Docker 方式部署，这是最简便且官方推荐的方法。\n\n### 1. Linux 和 Windows 主机\n\n执行以下命令拉取并运行容器：\n\n```bash\ndocker run --rm -it -p 55000:55000  --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --net=host --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips:latest\n```\n\n### 2. macOS 主机\n\n在 macOS 上运行时，请勿使用 `--net=host` 参数，以便从宿主机访问容器端口：\n\n```bash\ndocker run --rm -it -p 55000:55000 --platform linux\u002Famd64 --cpu-shares \"700\" --memory=\"8g\" --memory-swap=\"8g\" --cap-add=NET_ADMIN --name slips stratosphereips\u002Fslips_macos_m1:latest\n```\n\n## 基本使用\n\n启动容器后，即可在容器内执行分析任务。以下是分析一个测试用的恶意 PCAP 文件并查看警报的最简流程。\n\n### 1. 运行分析\n\n在容器终端中执行以下命令，指定输入文件和输出目录：\n\n```bash\n.\u002Fslips.py -f dataset\u002Ftest7-malicious.pcap -o output_dir\n```\n\n*   `-f`: 指定要分析的流量文件（支持 .pcap 或实时接口）。\n*   `-o`: 指定结果输出目录。\n\n### 2. 查看检测结果\n\n分析完成后，查看生成的警报日志：\n\n```bash\ncat output_dir\u002Falerts.log\n```\n\n### 3. 使用图形界面 (可选)\n\nSlips 提供 Web 界面和命令行界面 (Kalipso) 以可视化展示检测结果。\n\n*   **启动 Web 界面**：\n    ```bash\n    .\u002Fwebinterface.sh\n    ```\n    然后在浏览器访问：`http:\u002F\u002Flocalhost:55000\u002F`\n\n*   **启动 Kalipso (CLI 界面)**：\n    ```bash\n    .\u002Fkalipso.sh\n    ```","某中型电商公司的安全运维团队正面临夜间突发流量异常，急需在海量日志中识别潜在的僵尸网络感染迹象。\n\n### 没有 StratosphereLinuxIPS 时\n- 依赖传统基于特征库的防火墙，无法识别未知的新型恶意通信行为，导致漏报率高。\n- 安全分析师需人工逐条筛查 Zeek 或 Suricata 生成的海量流水日志，耗时数小时且极易疲劳出错。\n- 缺乏行为关联分析能力，单一看似正常的连接请求被忽略，无法拼凑出完整的攻击链条。\n- 威胁情报更新滞后，难以实时匹配全球最新的恶意 IP 域名库，响应速度远落后于攻击者。\n\n### 使用 StratosphereLinuxIPS 后\n- 利用机器学习模型自动分析网络行为模式，精准捕捉传统规则无法发现的隐蔽恶意流量。\n- 系统实时聚合多源证据并自动触发告警，将原本数小时的人工排查工作缩短至分钟级。\n- 通过行为启发式算法关联分散的连接记录，自动还原出主机受控并尝试外联的完整攻击路径。\n- 内置 40+ 个实时更新的威胁情报源，结合专家阈值机制，确保对最新威胁的即时阻断与预警。\n\nStratosphereLinuxIPS 将被动防御转变为主动的行为感知，让中小团队也能拥有基于 AI 的顶级网络入侵防御能力。","https:\u002F\u002Foss.gittoolsai.com\u002Fimages\u002Fstratosphereips_StratosphereLinuxIPS_07c6001c.png","stratosphereips","Stratosphere IPS","https:\u002F\u002Foss.gittoolsai.com\u002Favatars\u002Fstratosphereips_72d9ce2c.png","Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS\u002FIPS.",null,"StratosphereIPS","https:\u002F\u002Fwww.stratosphereips.org","https:\u002F\u002Fgithub.com\u002Fstratosphereips",[81,85,89,92,95,99,103,107,111,115],{"name":82,"color":83,"percentage":84},"Python","#3572A5",88.1,{"name":86,"color":87,"percentage":88},"Jupyter Notebook","#DA5B0B",6.1,{"name":90,"color":91,"percentage":10},"JavaScript","#f1e05a",{"name":93,"color":76,"percentage":94},"Zeek",1.5,{"name":96,"color":97,"percentage":98},"Shell","#89e051",0.6,{"name":100,"color":101,"percentage":102},"HTML","#e34c26",0.4,{"name":104,"color":105,"percentage":106},"Dockerfile","#384d54",0.2,{"name":108,"color":109,"percentage":110},"CSS","#663399",0.1,{"name":112,"color":113,"percentage":114},"YARA","#220000",0,{"name":116,"color":117,"percentage":114},"Makefile","#427819",866,200,"2026-04-13T20:35:40","GPL-2.0","Linux, macOS, Windows (仅支持 Docker)","未说明","最低 4GB，推荐 8GB (Docker 示例配置)",{"notes":126,"python":127,"dependencies":128},"该工具主要基于行为分析和机器学习进行入侵检测。虽然支持 Linux、macOS 和 Windows，但阻断（Blocking）功能仅在 Linux 上受支持。官方强烈推荐使用 Docker 部署；在 macOS 上运行 Docker 时需注意网络配置（不要使用 --net=host 以便从宿主机访问容器端口）。系统依赖 Redis 进行进程间通信，依赖 Zeek 进行实时流量捕获和 PCAP 分析。","3.10.12",[129,130],"Redis >= 7.0.4","Zeek network analysis framework",[15,13,14],[133,134,135,136,137,138,139,140,141,142,143,144,145,146,147],"docker","pcap","machine-learning","ai","ids","zeek","ips","stratosphere-ips","endpoint-protection","intrusion-detection-system","intrusion-prevention-system","network-analysis","network-security","gsoc-2023","gsoc-2024","2026-03-27T02:49:30.150509","2026-04-16T15:58:08.338407",[151,156,161,166,171,176],{"id":152,"question_zh":153,"answer_zh":154,"source_url":155},36063,"Slips 运行一段时间后 Redis 报错\"Connection refused\"导致服务崩溃，如何解决？","这是由于 Redis 内存耗尽或键未设置过期时间导致的。解决方案包括：\n1. 为所有 Redis 键设置 TTL（生存时间），建议设置为 (2 * tw_width)，确保只保留最近 2 个时间窗口的数据。\n2. 在 redis.conf 中设置 maxmemory 限制，普通计算机建议不超过主机内存的 50%。\n3. 对于可能无限增长的列表或集合，限制存储数量（如仅保留最近 100 条）或使用近似数据结构。\n4. 将部分数据刷新到 SQLite 磁盘数据库中，以便从 Redis 删除后仍可查询。","https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F1782",{"id":157,"question_zh":158,"answer_zh":159,"source_url":160},36064,"使用 ML 训练模块时出现\"Error in process_features()\"错误怎么办？","该问题通常发生在特定环境配置下。维护者确认在 Linux Docker 环境中可正常运行且无此错误。建议尝试以下操作：\n1. 确保在 Linux 环境下使用 Docker 运行 Slips。\n2. 使用命令 `.\u002Fslips.py -f \u003Cpcap 文件> -c config\u002Fslips.conf -e 1` 启动。\n3. 检查是否已正确切换到训练模式（修改 slips.conf）。\n如果问题依旧，请检查 Python 依赖版本是否与 Docker 镜像一致。","https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F819",{"id":162,"question_zh":163,"answer_zh":164,"source_url":165},36065,"如何检测 DNS 响应中被篡改用于隐私保护（如返回 0.0.0.0 或 127.0.0.1）的情况？","这并非威胁情报（TI）模块的功能，而应在 flowalerts 模块中处理。具体实现步骤：\n1. 在 flowalerts 模块中创建一个新函数，类似于 check_suspicious_dns_answers()。\n2. 该函数检查 DNS 响应中的 IP 地址是否为 0.0.0.0 或 127.0.0.1。\n3. 如果匹配，生成一个 INFO 级别的警报（因为这不一定是感染，可能是 Pi-hole 等服务的拦截行为）。","https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F323",{"id":167,"question_zh":168,"answer_zh":169,"source_url":170},36066,"Kalipso 可视化界面在查看某些 IP 地址的时间窗口时崩溃（报错 text.replace is not a function），如何修复？","该错误是由于数据中包含非字符串类型导致 Blessed 库处理失败。维护者已通过代码更新修复了此问题。用户只需拉取最新代码即可解决：\n1. 执行 `git pull` 获取最新修复版本。\n2. 重新运行 `.\u002Fkalipso.sh`。\n该修复确保了在处理表格数据前对所有字段进行正确的类型转换或清理。","https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F104",{"id":172,"question_zh":173,"answer_zh":174,"source_url":175},36067,"Slips 在长时间浸泡测试（Soak Testing）中出现延迟线性增长甚至达到数十小时的问题，原因是什么？","该问题由数据库更新逻辑中的性能瓶颈引起。经过多次实验，维护者通过优化 `_update_modified_tws_in_the_db()` 函数及相关数据库操作解决了此问题。修复后的测试显示延迟不再随时间线性增长，系统能稳定处理长时间流量。建议更新至包含此修复的最新版本。","https:\u002F\u002Fgithub.com\u002Fstratosphereips\u002FStratosphereLinuxIPS\u002Fissues\u002F1848",{"id":177,"question_zh":178,"answer_zh":179,"source_url":155},36068,"如何在 Docker 中正确配置 Slips 以避免内存溢出和连接错误？","在 Docker 环境中运行 Slips 时，需注意以下配置以防止 Redis 崩溃：\n1. 设置 Redis 的 maxmemory 参数，建议值为宿主机内存的 50%-90%（视具体情况而定）。\n2. 确保所有临时数据键都有合适的 TTL，避免数据无限累积。\n3. 监控容器资源使用情况，必要时调整 Docker 容器的内存限制。\n维护者指出，在正确配置内存限制和 TTL 后，Slips 可稳定运行超过 48 小时。",[181,186,191,196,201,206,211,216,221,226,231,236,241,246,251,256,261,266,271,276],{"id":182,"version":183,"summary_zh":184,"released_at":185},288852,"v1.1.19","* 基于Zeek的SSH、软件及通知日志，新增SSH暴力破解检测模块。\n* 通过并行证据处理、性能分析器和输入优化，提升高吞吐量流量下的性能。\n* 修复Slips关闭时存在的问题。\n* 新增可选的性能图表以及用于衡量延迟、吞吐量和资源使用情况的CSV指标文件。\n* 修复首次流处理被跳过的问题，并减少在小文件和PCAP文件中关闭时的竞态条件。","2026-04-01T12:34:09",{"id":187,"version":188,"summary_zh":189,"released_at":190},288853,"v1.1.18","- 增加基于自适应基线、置信度评分及详细证据理由的HTTPS异常检测模块。\n- 默认启用ADWIN漂移检测用于HTTPS异常检测，并分别设置每小时和流级别的漂移路径。\n- 为HTTPS异常检测日志添加本地HTML报告生成器，支持交互式图表和异常摘要。\n- 提升高吞吐量流量下的性能，降低内存溢出风险。\n- 通过更严格的TTL设置、限制大小的有序集合以及定期清理，优化Redis内存管理。\n- 提升HTTP分析模块的处理速度。","2026-03-03T21:51:55",{"id":192,"version":193,"summary_zh":194,"released_at":195},288854,"v1.1.17","- 扩展了免疫数据集文档，增加了性能评估和瓶颈分析。\n- 改进了水平扫描、垂直扫描及ICMP端口扫描的检测逻辑与速度。\n- 优化了高吞吐量流量的处理能力。\n- 优化了性能分析器架构：引入背压机制、动态工作进程扩展以及真正的多进程处理。\n- 减少了“位于本地网络之外的公共IP”证据的误报。\n- 通过使用对数尺度，减少了重复端口扫描证据的数量。\n- 加快了GitHub CI测试的速度。\n- 提升了Slips的处理速度，并降低了内存占用。\n- 在检测到端口扫描时，抑制针对每个已扫描端口的重复“未知端口”证据。\n- 修复了Web UI中的证据按钮。","2026-01-30T21:29:43",{"id":197,"version":198,"summary_zh":199,"released_at":200},288855,"v1.1.16","- 为 TAXII 服务器添加告警可视化 Web 界面。\n- 修改 -g 选项的用法：现在使用 -g 时，Slips 需要指定要监控的网络接口名称。\n- 停止支持白名单的动态重新加载功能。\n- 通过使用布隆过滤器加速证据处理和白名单查询。\n- 修复在 IP 地址为组播地址且连接到本地网络之外的 IP 时产生的误报证据。\n- 修复在使用 -m 选项时，P2P 无法连接到 Redis 数据库的问题。\n- 修复 Slips 监控单个接口时报告证据的问题。\n- 在树莓派上以接入点模式运行 Slips 时，处理 Slips 和 iptables 的故障切换。","2025-12-01T15:29:11",{"id":202,"version":203,"summary_zh":204,"released_at":205},288856,"v1.1.15","- 支持在 Slips 以接入点模式运行时监控两个接口。 - 改进了在 Zeek 目录不断增长的情况下运行 Slips 的功能（使用 -g 选项）：Slips 现在能够自动检测已使用的网络接口、主机 IP 地址和网关 IP 地址。","2025-10-31T12:40:56",{"id":207,"version":208,"summary_zh":209,"released_at":210},288857,"v1.1.14","- CVE-2025-49844 安全补丁：强制使用 Redis 8.2.2 版本","2025-10-14T12:29:49",{"id":212,"version":213,"summary_zh":214,"released_at":215},288858,"v1.1.13","- 增加对恶意DNS查询响应的检测功能。\n- 添加对Zeek 8.0.0版本的支持。\n- 加快Slips中的证据处理速度。\n- 更新Python依赖库。","2025-09-01T18:26:20",{"id":217,"version":218,"summary_zh":219,"released_at":220},288859,"v1.1.12","- 改进ARP欺骗过滤器的攻击过滤功能。- 缓存ARP扫描结果，以避免向网络中大量发送ARP报文。- 在使用ARP欺骗工具时，排除对网关的欺骗。- 增加ARP欺骗尝试之间的延迟，以防止网络拥塞。- 本地P2P信任模型的改进。","2025-07-31T21:12:04",{"id":222,"version":223,"summary_zh":224,"released_at":225},288860,"v1.1.11","- 修复本地P2P信任模型。- 修复SQLite游标错误。- 在遭受ARP欺骗攻击时，避免对自身IP及其他Slips节点发出警报。","2025-07-03T12:59:11",{"id":227,"version":228,"summary_zh":229,"released_at":230},288861,"v1.1.10","- 增加在试用期结束后使用 iptables 解除对攻击者的封禁的支持。\n- 增加使用 ARP 欺骗阻断攻击者的能力。\n- 改进网关 IP 和 MAC 地址的检测方式。\n- 支持将 Slips 作为接入点运行，以在无线局域网中阻断攻击者。","2025-05-26T12:08:21",{"id":232,"version":233,"summary_zh":234,"released_at":235},288862,"v1.1.9","- Add bootstrapping node mode for the global P2P. Thanks to @d-strat\r\n- Add support for ARM64 architecture in Docker images.\r\n- Fix issues getting domain registrants.\r\n- Fix the \"Database is locked\" SQLite error.\r\n- Fix the issue of Slips hanging when shutting down.\r\n- Ignore URLs when found in threat intelligence feeds.\r\n- Improve handling of Zeek tab-separated log files. Logs from Zeek old versions are now read correctly.\r\n- Optimize IP Info module.\r\n- Print flows processed per minute in the stats printed to the CLI.\r\n- Support reading labeled Zeek logs and using their labels in Slips modules.","2025-04-30T12:00:12",{"id":237,"version":238,"summary_zh":239,"released_at":240},288863,"v1.1.8","- Fix SQLite database errors.\r\n- Fix CPU and RAM profilers.\r\n- Fix the issue with AsyncModules not shutting down gracefully.","2025-03-31T16:55:19",{"id":242,"version":243,"summary_zh":244,"released_at":245},288864,"v1.1.7","- Add global P2P support. Thanks to @d-strat\r\n- Add new \"GRE tunnel scan\" detections.\r\n- Add the option to enable\u002Fdisable local and online whitelists from slips.yaml.\r\n- Fix false positive \"Connection to a private IP outside of local network\" detection. Slips now doesn't alert on DNS servers outside of local network.\r\n- Fix false positive \"Connection to a private IP\" detection when the connection is DHCP.\r\n- Fix false positive \"Device changing IP\" detection alerting about special IPs.\r\n- Fix false positive \"Invalid DNS answer\" detection alerting about .arpa domains.\r\n- Fix false positive \"non-HTTP established connection on port 80\".\r\n- Fix false positive \"non-SSL established connection on port 443\".\r\n- Improve \"Connection to unknown port\" detections. Now the threat level depends on the flow state.\r\n- Improve \"DNS without connection\" evidence. Slips now only detects when the query type is A or AAAA.\r\n- Improve the description of malicious flow by MLflowdetection module.\r\n- Improve the detections of the MLflowdetection module.\r\n- Improve the existing \"GRE tunnel\" detections.\r\n- Improve whitelists: Slips is now whitelisting CNAME, SNI, related queries, and DNS resolutions of attackers and victims.","2025-02-28T16:30:36",{"id":247,"version":248,"summary_zh":249,"released_at":250},288865,"v1.1.6","* 3x speedup of the profiler process responsible for analyzing the given flows.\r\n* Fix false positive \"connection without DNS\" detection.\r\n* Fix false positive \"DNS without connection\" detection.\r\n* Fix problem parsing Suricata DNS flows.\r\n* Fix problem using threat intelligence feeds from cache even if they are not present in the given config file.\r\n* Fix regex warning when starting Slips. Special thanks to @Sekhar-Kumar-Dash.\r\n* Fix Tranco whitelists.\r\n* Improve \"Incompatible CN\" detection.\r\n* Improve \"Invalid DNS answer\" detection.\r\n* Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.\r\n* Improve whitelisting by checking if the SNI of each evidence is whitelisted or not.\r\n* Update the license used.\r\n","2025-01-31T18:57:20",{"id":252,"version":253,"summary_zh":254,"released_at":255},288866,"v1.1.5","- 200x times speedup of domain lookups in the threat intelligence module.\r\n- Add a threat level and confidence to each alert.\r\n- Add evidence for CN and hostname mismatch in SSL flows.\r\n- Add multiple telnet reconnection attempts detection.\r\n- Add support to IP ranges as the client_ip in slips.yaml\r\n- Alert \"invalid DNS answer\" on all private DNS answers.\r\n- Don't alert \"high entropy TXT answers\" for flows from multicast IPs.\r\n- Fix multiple reconnection attempts detection.\r\n- Fix problem downloading the latest MAC database from macvendors.com\r\n- Improve the detection of the Gateway IP and MAC when running on files and PCAPs.\r\n- Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.\r\n- Split the \"connection to\u002Ffrom blacklisted IPs\" detection into two different evidence with different threat levels.\r\n- Update Slips internal list of Apple known ports.","2025-01-03T11:40:01",{"id":257,"version":258,"summary_zh":259,"released_at":260},288867,"1.1.4","- Fix changing the used database in the web interface.\r\n- Reduce false positive evidence about malicious downloaded files.\r\n- Fix datetime errors when running on an interface.\r\n- Improve the detection of \"DNS without connection\".\r\n- Add support for a light Slips docker image.","2024-11-29T14:01:38",{"id":262,"version":263,"summary_zh":264,"released_at":265},288868,"v1.1.3","- Enhance Slips shutdown process for smoother operations.\r\n- Optimize resource management in Slips, resolving issues with lingering threads in memory.\r\n- Remove the progress bar; Slips now provides regular statistical updates.\r\n- Improve unit testing—special thanks to @Sekhar-Kumar-Dash.\r\n- Drop support for macOS, P2P, and platform-specific Docker images. A unified Docker image is now available for all platforms.\r\n- Correct the number of evidence reported in statistics.\r\n- Fix incorrect end date reported in metadata\u002Finfo.txt upon analysis completion.\r\n- Print more information to CLI on Slips startup, including network details, client IP, thresholds used, and more.\r\n- Reduce false positives from Spamhaus by looking up inbound traffic only.\r\n- Speed up horizontal port scan detections.\r\n- Enhance logging of IDMEF errors.\r\n- Resolve issues with the accumulated threat level reported in alerts.json.","2024-10-31T13:29:43",{"id":267,"version":268,"summary_zh":269,"released_at":270},288869,"v1.1.2","- Add a relation between related evidence in alerts.json\r\n- Better unit tests. Thanks to @Sekhar-Kumar-Dash\r\n- Discontinued MacOS m1 docker images, P2p images, and slips dependencies image.\r\n- Fix the problem of the progress bar stopping before analysis is done, causing Slips to freeze when analyzing large PCAPs.\r\n- Improve how Slips recognizes the current host IP.\r\n- Increase the speed of the Flowalerts module by changing how Slips checks for DNS servers.\r\n- Major code improvements.\r\n- Remove redundant keys from the Redis database.\r\n- Remove unused keys from the Redis database.\r\n- Use IDMEFv2 format in alerts.json instead of IDEA0.\r\n- Wait for modules to finish 1 week by default.","2024-09-30T15:17:45",{"id":272,"version":273,"summary_zh":274,"released_at":275},288870,"v1.1.1","- Better unit tests. Thanks to @Sekhar-Kumar-Dash.\r\n- Fix Slips installation script at install\u002Finstall.sh\r\n- Fix the issue of the flowalerts module not analyzing all given conn.log flows.\r\n- Fix the Zeek warning caused by one of the loaded Zeek scripts.\r\n- Improve how Slips validates domains taken from TI feeds.\r\n- Improve whitelists.\r\n- Update Python dependencies.\r\n- Better handling of connections to the Redis database.","2024-09-04T12:58:29",{"id":277,"version":278,"summary_zh":279,"released_at":280},288871,"v1.1","- Update Python version to 3.10.12 and all the Python libraries used by Slips.\r\n- Update nodejs and Zeek.\r\n- Improve the stopping of Slips. Modules now have more time to process flows.\r\n- Fix database unit tests overwriting redis configuration file.\r\n- New configuration file format, Slips is now using YAML thanks to @patel-lay.\r\n- Better unit tests. thanks to @Sekhar-Kumar-Dash.\r\n- GitHub workflow improvements.\r\n- Fix the RNN module and add a new model.\r\n- Horizontal port scan detection improvements.","2024-07-31T20:54:49"]