stratosphereips / StratosphereLinuxIPS

Slips, a free software behavioral Python intrusion prevention system (IDS/IPS) that uses machine learning to detect malicious behaviors in the network traffic. Stratosphere Laboratory, AIC, FEL, CVUT in Prague.
Other
701 stars 175 forks source link

Why is circl.lu score 0.5 converted to info threat level in slips #1041

Closed AlyaGomaa closed 1 week ago

AlyaGomaa commented 1 week ago

sometimes it's converted to "high" from CTU-Malware-Capture-Botnet-219-2/Day1

{"Version": "2.0.3", "Analyzer": {"IP": "0.0.0.0", "Name": "Slips", "Model": "1.1.2", "Category": ["NIDS"], "Data": ["Flow", "Network"], "Method": ["Heuristic"]}, "Status": "Event", "ID": "29eb469f-49da-47ef-a2d4-256b821be75c", "Severity": "High", "StartTime": "1970-01-01T00:35:52.996177+00:00", "CreateTime": "2024-10-08T17:21:37.801464+00:00", "Confidence": 0.5, "Description": "Malicious downloaded file 9377838b0621b6eb6018b244586af2f9. size: 166 from IP: 192.168.1.113. Detected by: VirusShare, circl.lu. Score: 0.5. threat level: high.", "Source": [{"IP": "73.217.118.205", "Note": "{\"AS\": {\"org\": \"COMCAST-7922, US\", \"number\": \"AS7922\"}, \"rDNS\": \"c-73-217-118-205.hsd1.co.comcast.net\"}", "TI": ["PBL ISP Maintained, spamhaus"]}], "RelID": ["ec7dd838-6836-49f2-86d7-00078b88a5e8"], "Note": "{\"uids\": [\"C8Lb8sI1CNBPmxu8b\"], \"accumulated_threat_level\": 0.4, \"threat_level\": \"high\", \"timewindow\": 1}"}

AlyaGomaa commented 1 week ago

that score meant the confidence not the threat level. made it more clear here #1045