stratosphereips / StratosphereLinuxIPS

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.
Other
712 stars 176 forks source link

Why is circl.lu score 0.5 converted to info threat level in slips #1041

Closed AlyaGomaa closed 4 weeks ago

AlyaGomaa commented 1 month ago

sometimes it's converted to "high" from CTU-Malware-Capture-Botnet-219-2/Day1

{"Version": "2.0.3", "Analyzer": {"IP": "0.0.0.0", "Name": "Slips", "Model": "1.1.2", "Category": ["NIDS"], "Data": ["Flow", "Network"], "Method": ["Heuristic"]}, "Status": "Event", "ID": "29eb469f-49da-47ef-a2d4-256b821be75c", "Severity": "High", "StartTime": "1970-01-01T00:35:52.996177+00:00", "CreateTime": "2024-10-08T17:21:37.801464+00:00", "Confidence": 0.5, "Description": "Malicious downloaded file 9377838b0621b6eb6018b244586af2f9. size: 166 from IP: 192.168.1.113. Detected by: VirusShare, circl.lu. Score: 0.5. threat level: high.", "Source": [{"IP": "73.217.118.205", "Note": "{\"AS\": {\"org\": \"COMCAST-7922, US\", \"number\": \"AS7922\"}, \"rDNS\": \"c-73-217-118-205.hsd1.co.comcast.net\"}", "TI": ["PBL ISP Maintained, spamhaus"]}], "RelID": ["ec7dd838-6836-49f2-86d7-00078b88a5e8"], "Note": "{\"uids\": [\"C8Lb8sI1CNBPmxu8b\"], \"accumulated_threat_level\": 0.4, \"threat_level\": \"high\", \"timewindow\": 1}"}

AlyaGomaa commented 4 weeks ago

that score meant the confidence not the threat level. made it more clear here #1045