def __init__(self, outputqueue, config):
multiprocessing.Process.__init__(self)
# All the printing output should be sent to the outputqueue. The outputqueue is connected to another process called OutputProcess
self.outputqueue = outputqueue
# In case you need to read the slips.conf configuration file for your own configurations
self.config = config
# Start the DB
__database__.start(self.config)
self.separator = __database__.getFieldSeparator()
# Subscribe to 'new_flow' channel
self.c1 = __database__.subscribe('new_flow')
# To store the timelines of each profileid_twid
self.profiles_tw = {}
# Load the list of common known ports
self.load_ports()
# Store malicious IPs. We do not make alert everytime we receive flow with thi IP but only once.
self.alerted_malicous_ips_dict = {}
# Read information how we should print timestamp.
self.is_human_timestamp = bool(self.read_configuration('modules', 'timeline_human_timestamp'))
self.analysis_direction = self.config.get('parameters', 'analysis_direction')
# Wait a little so we give time to have something to print
# Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux
if platform.system() == 'Darwin':
# macos
self.timeout = None
elif platform.system() == 'Linux':
# linux
self.timeout = None
else:
#??
self.timeout = None
def __init__(self, outputqueue, config):
multiprocessing.Process.__init__(self)
self.outputqueue = outputqueue
# This dictionary will hold each malicious ip to store in the db
self.malicious_ips_dict = {}
# In case you need to read the slips.conf configuration file for your own configurations
self.config = config
self.separator = __database__.getFieldSeparator()
# This default path is only used in case there is no path in the configuration file
self.path_to_malicious_ip_folder = 'modules/ThreatIntelligence1/malicious_ips_files/'
# Subscribe to the new_ip channel
__database__.start(self.config)
self.c1 = __database__.subscribe('new_ip')
# Create the update manager. This manager takes care of the re-downloading of the list of IoC when needed.
self.update_manager = UpdateIPManager(self.outputqueue)
# Update the remote file containing malicious IPs.
self.__update_remote_malicious_file()
# Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux
if platform.system() == 'Darwin':
# macos
self.timeout = None
elif platform.system() == 'Linux':
self.timeout = -1
else:
#??
self.timeout = None
def __init__(self, outputqueue, config):
multiprocessing.Process.__init__(self)
# All the printing output should be sent to the outputqueue. The outputqueue is connected to another process called OutputProcess
self.outputqueue = outputqueue
# In case you need to read the slips.conf configuration file for your own configurations
self.config = config
# Start the DB
__database__.start(self.config)
# Subscribe to the channel
self.c1 = __database__.subscribe('new_flow')
self.fieldseparator = __database__.getFieldSeparator()
# Set the output queue of our database instance
__database__.setOutputQueue(self.outputqueue)
# Read the configuration
self.read_configuration()
# To know when to retrain. We store the number of labels when we last retrain
self.retrain = 0
if platform.system() == 'Darwin':
# macos
self.timeout = None
elif platform.system() == 'Linux':
# linux
self.timeout = None
else:
# ??
self.timeout = None
def __init__(self, outputqueue, config):
multiprocessing.Process.__init__(self)
self.outputqueue = outputqueue
self.config = config
# Start the DB
__database__.start(self.config)
# Set the output queue of our database instance
__database__.setOutputQueue(self.outputqueue)
# Get from the database the separator used to separate the IP and the word profile
self.fieldseparator = __database__.getFieldSeparator()
# To which channels do you wnat to subscribe? When a message arrives on the channel the module will wakeup
self.c1 = __database__.subscribe('tw_modified')
# We need to know that after a detection, if we receive another flow that does not modify the count for the detection, we are not
# re-detecting again only becase the threshold was overcomed last time.
self.cache_det_thresholds = {}
# Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux
if platform.system() == 'Darwin':
# macos
self.timeout = None
elif platform.system() == 'Linux':
self.timeout = None
else:
#??
self.timeout = None
self.separator = '_'
def __init__(self, outputqueue, config):
self.outputqueue = outputqueue
self.config = config
# For now, read the malicious IPs from here
self.name = 'UpdateManager'
self.new_update_time = float('-inf')
# Start the database
__database__.start(self.config)
# Get a separator from the database
self.separator = __database__.getFieldSeparator()
# Read the conf
self.read_configuration()
def __init__(self, outputqueue, config):
multiprocessing.Process.__init__(self)
self.outputqueue = outputqueue
# In case you need to read the slips.conf configuration file for your own configurations
self.config = config
# Subscribe to the channel
__database__.start(self.config)
# Get a separator from the database
self.separator = __database__.getFieldSeparator()
self.c1 = __database__.subscribe('give_threat_intelligence')
# Set the timeout based on the platform. This is because the pyredis lib does not have officially recognized the timeout=None as it works in only macos and timeout=-1 as it only works in linux
if platform.system() == 'Darwin':
# macos
self.timeout = None
elif platform.system() == 'Linux':
self.timeout = None
else:
self.timeout = None
self.__read_configuration()
def __init__(self, inputqueue, outputqueue, verbose, debug, config):
self.name = 'Logs'
multiprocessing.Process.__init__(self)
self.verbose = verbose
self.debug = debug
self.config = config
# Start the DB
__database__.start(self.config)
self.separator = '_'
# From the config, read the timeout to read logs. Now defaults to 5 seconds
self.inputqueue = inputqueue
self.outputqueue = outputqueue
# Read the configuration
self.read_configuration()
self.fieldseparator = __database__.getFieldSeparator()
# For some weird reason the database loses its outputqueue and we have to re set it here.......
__database__.setOutputQueue(self.outputqueue)
self.timeline_first_index = {}
self.is_timline_file = False
# Store the host IP address if input type is interface
if input_type == 'interface':
hostIP = recognize_host_ip()
__database__.set_host_ip(hostIP)
# As the main program, keep checking if we should stop slips or not
# This is not easy since we need to be sure all the modules are stopped
# Each interval of checking is every 5 seconds
check_time_sleep = 5
# In each interval we check if there has been any modifications to the database by any module.
# If not, wait this amount of intervals and then stop slips.
# We choose 6 to wait 30 seconds.
limit_minimum_intervals_to_wait = 4
minimum_intervals_to_wait = limit_minimum_intervals_to_wait
fieldseparator = __database__.getFieldSeparator()
slips_internal_time = 0
try:
while True:
# Sleep some time to do rutine checks
time.sleep(check_time_sleep)
slips_internal_time = __database__.getSlipsInternalTime()
# Get the amount of modified time windows since we last checked
TWModifiedforProfile = __database__.getModifiedTWSinceTime(
float(slips_internal_time) + 1)
# TWModifiedforProfile = __database__.getModifiedTW()
amount_of_modified = len(TWModifiedforProfile)
# Get th time of last modified timewindow and set it as a new
if amount_of_modified != 0:
time_last_modified_tw = TWModifiedforProfile[-1][-1]
__database__.setSlipsInternalTime(time_last_modified_tw)
