CTY-git · patched-codes · Mar 15, 2024 · Mar 15, 2024 · Mar 15, 2024 · Mar 15, 2024
diff --git a/docker/docker-compose.yml b/docker/docker-compose.yml
@@ -6,8 +6,13 @@ services:
                 cap_add:
                   - NET_ADMIN
                 volumes:
-                  - $PWD/config:/StratosphereLinuxIPS/config/
-                  - $PWD/dataset:/StratosphereLinuxIPS/dataset/
+                  - type: bind
+                    source: ./config
+                    target: /StratosphereLinuxIPS/config/
+                    read_only: true
+                  - type: bind
+                    source: ./dataset
+                    target: /StratosphereLinuxIPS/dataset/
+                    read_only: true
                 network_mode: "host"
                 entrypoint: ["/bin/bash"]
-
diff --git a/docker/macosm1-P2P-image/Dockerfile b/docker/macosm1-P2P-image/Dockerfile
@@ -72,5 +72,9 @@ RUN npm install
 # Switch to Slips installation dir when login.
 WORKDIR ${SLIPS_DIR}
 
-#CMD redis-server --daemonize yes && /bin/bash
-CMD /bin/bash
+# Create a non-root user to run the service
+RUN useradd -m -s /bin/bash slipsuser
+RUN chown -R slipsuser:slipsuser ${SLIPS_DIR}
+USER slipsuser
+
+CMD redis-server --daemonize yes && /bin/bash
diff --git a/docker/macosm1-image/Dockerfile b/docker/macosm1-image/Dockerfile
@@ -68,5 +68,5 @@ RUN npm install
 # Switch to Slips installation dir when login.
 WORKDIR ${SLIPS_DIR}
 
-#CMD redis-server --daemonize yes && /bin/bash
-CMD /bin/bash
+# Start redis-server as a service and run bash in a non-privileged mode
+CMD service redis-server start && exec su -s /bin/bash -c "/bin/bash" nobody
diff --git a/docker/ubuntu-image/Dockerfile b/docker/ubuntu-image/Dockerfile
@@ -6,7 +6,7 @@ ENV DEBIAN_FRONTEND=noninteractive
 # Blocking module requirement to avoid using sudo
 ENV IS_IN_A_DOCKER_CONTAINER True
 
-# destionation dir for slips inside the container
+# destination dir for slips inside the container
 ENV SLIPS_DIR /StratosphereLinuxIPS
 
 # Install wget and add Zeek repository to our sources.
@@ -62,4 +62,14 @@ RUN npm install
 # Switch to Slips installation dir when login.
 WORKDIR ${SLIPS_DIR}
 
-CMD redis-server --daemonize yes && /bin/bash
+# Create a dedicated user to run the service
+RUN useradd -m -d /home/slipsuser slipsuser
+
+# Change ownership of the SLIPS_DIR to the slipsuser
+RUN chown -R slipsuser:slipsuser ${SLIPS_DIR}
+
+# Change to non-root user
+USER slipsuser
+
+# Start the redis-server without daemonizing
+CMD ["redis-server", "--protected-mode", "no"]
diff --git a/modules/CESNET/warden_client.py b/modules/CESNET/warden_client.py
@@ -279,13 +279,23 @@ def log_err(self, err, prio=logging.ERROR):
         return err
 
     def connect(self):
+        import ssl
 
         try:
             if self.url.scheme == 'https':
+                context = ssl.create_default_context(ssl.Purpose.SERVER_AUTH)
+                context.check_hostname = True
+                context.verify_mode = ssl.CERT_REQUIRED
+                if self.cafile:
+                    context.load_verify_locations(self.cafile)
+                if self.keyfile and self.certfile:
+                    context.load_cert_chain(certfile=self.certfile, keyfile=self.keyfile)
+                if self.ciphers:
+                    context.set_ciphers(self.ciphers)
+
                 conn = http.client.HTTPSConnection(
                     self.url.netloc,
-                    key_file=self.keyfile,
-                    cert_file=self.certfile,
+                    context=context,
                     timeout=self.timeout,
                 )
             elif self.url.scheme == 'http':
@@ -312,6 +322,7 @@ def connect(self):
 
         return conn
 
+
     def sendRequest(self, func='', payload=None, **kwargs):
 
         if self.secret is None:

diff --git a/modules/RiskIQ/RiskIQ.py b/modules/RiskIQ/RiskIQ.py
@@ -50,7 +50,7 @@ def get_passive_dns(self, ip) -> list:
                 'https://api.riskiq.net/pt/v2/dns/passive',
                 params=params,
                 timeout=5,
-                verify=False,
+                verify=True,  # Changed from False to True to enable certificate validation
                 auth=HTTPBasicAuth(self.riskiq_email, self.riskiq_key)
             )
         except (requests.exceptions.ConnectionError,

diff --git a/modules/http_analyzer/http_analyzer.py b/modules/http_analyzer/http_analyzer.py
@@ -1,4 +1,5 @@
 from slips_files.common.imports import *
+import urllib.parse
 import json
 import urllib
 import requests
@@ -249,25 +250,24 @@ def check_incompatible_user_agent(
                     )
 
                     return True
-
+    
     def get_ua_info_online(self, user_agent):
         """
-        Get OS and browser info about a use agent from an online database http://useragentstring.com
+        Get OS and browser info about a use agent from an online database https://useragentstring.com
         """
-        url = 'http://useragentstring.com/'
+        url = 'https://useragentstring.com/'
         params = {
             'uas': user_agent,
             'getJSON':'all'
         }
         params = urllib.parse.urlencode(params, quote_via=urllib.parse.quote)
         try:
-
-            response = requests.get(url, params=params, timeout=5)
+            response = requests.get(url, params=params, timeout=5, verify=True)
             if response.status_code != 200 or not response.text:
                 raise requests.exceptions.ConnectionError
         except requests.exceptions.ConnectionError:
             return False
-
+    
         # returns the following
         # {"agent_type":"Browser","agent_name":"Internet Explorer","agent_version":"8.0",
         # "os_type":"Windows","os_name":"Windows 7","os_versionName":"","os_versionNumber":"",

diff --git a/modules/ip_info/asn_info.py b/modules/ip_info/asn_info.py
@@ -132,7 +132,7 @@ def get_asn_online(self, ip):
         if utils.is_ignored_ip(ip):
             return asn
 
-        url = 'http://ip-api.com/json/'
+        url = 'https://ip-api.com/json/'  # Changed to HTTPS
         try:
             response = requests.get(f'{url}/{ip}', timeout=5)
             if response.status_code != 200:
@@ -166,6 +166,7 @@ def get_asn_online(self, ip):
 
         return asn
 
+
     def update_ip_info(self, ip, cached_ip_info, asn):
         """
         if an asn is found using this module, we update the IP's

diff --git a/slips_files/common/slips_utils.py b/slips_files/common/slips_utils.py
@@ -256,7 +256,6 @@ def define_time_format(self, time: str) -> str:
 
     def to_delta(self, time_in_seconds):
         return timedelta(seconds=int(time_in_seconds))
-
     def get_own_IPs(self) -> list:
         """
         Returns a list of our local and public IPs
@@ -279,7 +278,7 @@ def get_own_IPs(self) -> list:
 
         try:
             response = requests.get(
-                'http://ipinfo.io/json',
+                'https://ipinfo.io/json',
                 timeout=5,
             )
         except (
@@ -301,6 +300,7 @@ def get_own_IPs(self) -> list:
         IPs.append(public_ip)
         return IPs
 
+
     def convert_to_mb(self, bytes):
         return int(bytes)/(10**6)
 

diff --git a/slips_files/core/database/sqlite_db/database.py b/slips_files/core/database/sqlite_db/database.py
@@ -168,10 +168,9 @@ def export_labeled_flows(self, output_dir, format):
                         }
                     json.dump(json_labeled_flow, json_file)
                     json_file.write('\n')
-
     def get_columns(self, table) -> list:
         """returns a list with column names in the given table"""
-        self.execute(f"PRAGMA table_info({table})")
+        self.execute("PRAGMA table_info(?)", (table,))
         columns = self.fetchall()
         return [column[1] for column in columns]