update changelog and docs

AlyaGomaa · AlyaGomaa · commit 9bafcab2898d · 2025-01-03T12:57:22.000+02:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,4 +1,18 @@
-- Add multiple telnet reconnection attempts detection
+
+1.1.5 (Jan 3rd, 2025)
+- 200x times speedup of domain lookups in the threat intelligence module.
+- Add a threat level and confidence to each alert.
+- Add evidence for CN and hostname mismatch in SSL flows.
+- Add multiple telnet reconnection attempts detection.
+- Add support to IP ranges as the client_ip in slips.yaml
+- Alert "invalid DNS answer" on all private DNS answers.
+- Don't alert "high entropy TXT answers" for flows from multicast IPs.
+- Fix multiple reconnection attempts detection.
+- Fix problem downloading the latest MAC database from macvendors.com
+- Improve the detection of the Gateway IP and MAC when running on files and PCAPs.
+- Improve unit tests. Special thanks to @Sekhar-Kumar-Dash.
+- Split the "connection to/from blacklisted IPs" detection into two different evidence with different threat levels.
+- Update Slips internal list of Apple known ports.
 
 1.1.4.1 (Dec 3rd, 2024)
 - Fix abstract class starting with the rest of the modules.
diff --git a/docs/architecture.md b/docs/architecture.md
@@ -87,7 +87,9 @@ This is what slips stores for each IP/Profile it creates:
 
 ### Alerts vs Evidence
 
-When running Slips, the alerts you see in red in the CLI or at the very bottom in kalispo, are a bunch of evidence. Evidence in slips are detections caused by a specific IP in a specific timeframe. Slips doesn't alert on every evidence/detection. it accumulates evidence and only generates and alert when the amount of gathered evidence crosses a threshold. After this threshold Slips generates an alert, marks the timewindow as malicious(displays it in red in kalipso) and blocks the IP causing the alert.
+When running Slips, the alerts you see in red in the CLI or at the very bottom in kalispo, are a bunch of evidence. Evidence in slips are detections caused by a specific IP in a specific timeframe. Slips doesn't alert on every evidence/detection. it accumulates evidence and only generates and alert when the amount of gathered evidence crosses a threshold. After this threshold Slips generates an alert, marks the timewindow as malicious(displays it in red in kalipso and the web interface) and blocks the IP causing the alert if iptables is enabled.
+
+Each alert has a threat level and confidence; the Threat level of each alert is Critical by default, and the confidence is the accumulated threat level of all the evidence of the alert normalized to a value ranging from 0 to 1. The more evidence the higher the confidence of the alert.
 
 ### Usage of Zeek.
 
