diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml index 83ca3baa5..86c2c4c57 100644 --- a/docker/docker-compose.yml +++ b/docker/docker-compose.yml @@ -6,8 +6,13 @@ services: cap_add: - NET_ADMIN volumes: - - $PWD/config:/StratosphereLinuxIPS/config/ - - $PWD/dataset:/StratosphereLinuxIPS/dataset/ + - type: bind + source: ./config + target: /StratosphereLinuxIPS/config/ + read_only: true + - type: bind + source: ./dataset + target: /StratosphereLinuxIPS/dataset/ + read_only: true network_mode: "host" entrypoint: ["/bin/bash"] - \ No newline at end of file diff --git a/docker/macosm1-P2P-image/Dockerfile b/docker/macosm1-P2P-image/Dockerfile index 9cdef9d7e..840b8b6d8 100644 --- a/docker/macosm1-P2P-image/Dockerfile +++ b/docker/macosm1-P2P-image/Dockerfile @@ -72,5 +72,9 @@ RUN npm install # Switch to Slips installation dir when login. WORKDIR ${SLIPS_DIR} -#CMD redis-server --daemonize yes && /bin/bash -CMD /bin/bash +# Create a non-root user to run the service +RUN useradd -m -s /bin/bash slipsuser +RUN chown -R slipsuser:slipsuser ${SLIPS_DIR} +USER slipsuser + +CMD redis-server --daemonize yes && /bin/bash diff --git a/docker/macosm1-image/Dockerfile b/docker/macosm1-image/Dockerfile index 118e70919..ab72410cd 100644 --- a/docker/macosm1-image/Dockerfile +++ b/docker/macosm1-image/Dockerfile @@ -68,5 +68,5 @@ RUN npm install # Switch to Slips installation dir when login. WORKDIR ${SLIPS_DIR} -#CMD redis-server --daemonize yes && /bin/bash -CMD /bin/bash +# Start redis-server as a service and run bash in a non-privileged mode +CMD service redis-server start && exec su -s /bin/bash -c "/bin/bash" nobody diff --git a/docker/ubuntu-image/Dockerfile b/docker/ubuntu-image/Dockerfile index c06ea5ed2..a37fbc295 100644 --- a/docker/ubuntu-image/Dockerfile +++ b/docker/ubuntu-image/Dockerfile @@ -6,7 +6,7 @@ ENV DEBIAN_FRONTEND=noninteractive # Blocking module requirement to avoid using sudo ENV IS_IN_A_DOCKER_CONTAINER True -# destionation dir for slips inside the container +# destination dir for slips inside the container ENV SLIPS_DIR /StratosphereLinuxIPS # Install wget and add Zeek repository to our sources. @@ -62,4 +62,14 @@ RUN npm install # Switch to Slips installation dir when login. WORKDIR ${SLIPS_DIR} -CMD redis-server --daemonize yes && /bin/bash +# Create a dedicated user to run the service +RUN useradd -m -d /home/slipsuser slipsuser + +# Change ownership of the SLIPS_DIR to the slipsuser +RUN chown -R slipsuser:slipsuser ${SLIPS_DIR} + +# Change to non-root user +USER slipsuser + +# Start the redis-server without daemonizing +CMD ["redis-server", "--protected-mode", "no"] diff --git a/modules/CESNET/warden_client.py b/modules/CESNET/warden_client.py index 472cc9428..147120eae 100644 --- a/modules/CESNET/warden_client.py +++ b/modules/CESNET/warden_client.py @@ -279,13 +279,23 @@ def log_err(self, err, prio=logging.ERROR): return err def connect(self): + import ssl try: if self.url.scheme == 'https': + context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH) + context.check_hostname = True + context.verify_mode = ssl.CERT_REQUIRED + if self.cafile: + context.load_verify_locations(self.cafile) + if self.keyfile and self.certfile: + context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile) + if self.ciphers: + context.set_ciphers(self.ciphers) + conn = http.client.HTTPSConnection( self.url.netloc, - key_file=self.keyfile, - cert_file=self.certfile, + context=context, timeout=self.timeout, ) elif self.url.scheme == 'http': @@ -312,6 +322,7 @@ def connect(self): return conn + def sendRequest(self, func='', payload=None, **kwargs): if self.secret is None: diff --git a/modules/RiskIQ/RiskIQ.py b/modules/RiskIQ/RiskIQ.py index dc77e4c3a..986f078c0 100644 --- a/modules/RiskIQ/RiskIQ.py +++ b/modules/RiskIQ/RiskIQ.py @@ -50,7 +50,7 @@ def get_passive_dns(self, ip) -> list: 'https://api.riskiq.net/pt/v2/dns/passive', params=params, timeout=5, - verify=False, + verify=True, # Changed from False to True to enable certificate validation auth=HTTPBasicAuth(self.riskiq_email, self.riskiq_key) ) except (requests.exceptions.ConnectionError, diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py index 1e34d32c0..020f7b827 100644 --- a/modules/http_analyzer/http_analyzer.py +++ b/modules/http_analyzer/http_analyzer.py @@ -1,4 +1,5 @@ from slips_files.common.imports import * +import urllib.parse import json import urllib import requests @@ -249,25 +250,24 @@ def check_incompatible_user_agent( ) return True - + def get_ua_info_online(self, user_agent): """ - Get OS and browser info about a use agent from an online database http://useragentstring.com + Get OS and browser info about a use agent from an online database https://useragentstring.com """ - url = 'http://useragentstring.com/' + url = 'https://useragentstring.com/' params = { 'uas': user_agent, 'getJSON':'all' } params = urllib.parse.urlencode(params, quote_via=urllib.parse.quote) try: - - response = requests.get(url, params=params, timeout=5) + response = requests.get(url, params=params, timeout=5, verify=True) if response.status_code != 200 or not response.text: raise requests.exceptions.ConnectionError except requests.exceptions.ConnectionError: return False - + # returns the following # {"agent_type":"Browser","agent_name":"Internet Explorer","agent_version":"8.0", # "os_type":"Windows","os_name":"Windows 7","os_versionName":"","os_versionNumber":"", diff --git a/modules/ip_info/asn_info.py b/modules/ip_info/asn_info.py index 3369d1593..649af3ab7 100644 --- a/modules/ip_info/asn_info.py +++ b/modules/ip_info/asn_info.py @@ -132,7 +132,7 @@ def get_asn_online(self, ip): if utils.is_ignored_ip(ip): return asn - url = 'http://ip-api.com/json/' + url = 'https://ip-api.com/json/' # Changed to HTTPS try: response = requests.get(f'{url}/{ip}', timeout=5) if response.status_code != 200: @@ -166,6 +166,7 @@ def get_asn_online(self, ip): return asn + def update_ip_info(self, ip, cached_ip_info, asn): """ if an asn is found using this module, we update the IP's diff --git a/slips_files/common/slips_utils.py b/slips_files/common/slips_utils.py index e83a2c9fa..b4d07f410 100644 --- a/slips_files/common/slips_utils.py +++ b/slips_files/common/slips_utils.py @@ -256,7 +256,6 @@ def define_time_format(self, time: str) -> str: def to_delta(self, time_in_seconds): return timedelta(seconds=int(time_in_seconds)) - def get_own_IPs(self) -> list: """ Returns a list of our local and public IPs @@ -279,7 +278,7 @@ def get_own_IPs(self) -> list: try: response = requests.get( - 'http://ipinfo.io/json', + 'https://ipinfo.io/json', timeout=5, ) except ( @@ -301,6 +300,7 @@ def get_own_IPs(self) -> list: IPs.append(public_ip) return IPs + def convert_to_mb(self, bytes): return int(bytes)/(10**6) diff --git a/slips_files/core/database/sqlite_db/database.py b/slips_files/core/database/sqlite_db/database.py index 8ac340f3f..f0bc32554 100644 --- a/slips_files/core/database/sqlite_db/database.py +++ b/slips_files/core/database/sqlite_db/database.py @@ -168,10 +168,9 @@ def export_labeled_flows(self, output_dir, format): } json.dump(json_labeled_flow, json_file) json_file.write('\n') - def get_columns(self, table) -> list: """returns a list with column names in the given table""" - self.execute(f"PRAGMA table_info({table})") + self.execute("PRAGMA table_info(?)", (table,)) columns = self.fetchall() return [column[1] for column in columns]