v1.1.20

1.1.20 (Apr 30th, 2026)

• Add optional live Slips auto-update feature.
• Fix daemon shutdown with -S.
• Fix web interface startup, along with flow view and profile refresh handling.
• Move Kalipso to a submodule.
• Add DoS protection for high-throughput Zeek input, with configurable sampling windows and skip thresholds.
• Reorganize Slips output directory so alerts, databases, and persistent artifacts are stored in dedicated directories.
• Improve bloom filters.
• Update the organizations IPs, domains and ASNs lists.
• Improve Whitelists.
• Improve ASN lookups.

v1.1.19

• Add SSH brute-force detection module based on Zeek SSH, software, and notice logs.
• Improve performance under high-throughput traffic with parallel evidence handling, profiler, and input optimizations.
• Fix issues while Slips is shutting down.
• Add optional performance plots and CSV metrics for latency, throughput, and resource usage.
• Fix skipped first-flow processing and reduce shutdown race conditions on small files and PCAPs.

v1.1.18

• Add the HTTPS anomaly detection module with adaptive baselines, confidence scoring, and detailed evidence reasons.
• Enable ADWIN drift detection by default for HTTPS anomaly detection, with separate hourly and flow drift paths.
• Add a local HTML report generator for HTTPS anomaly detection logs, with interactive charts and anomaly summaries.
• Improve performance under high-throughput traffic and reduce OOM risk.
• Improve Redis memory hygiene with tighter TTLs, capped zsets, and periodic cleanups.
• Improve the speed of the HTTP Analyzer module.

v1.1.17

• Expanded Immune dataset documentation with performance evaluations and bottleneck analysis.
• Improve horizontal, vertical, and ICMP portscan detection logic and speed.
• Improved handling of high-throughput traffic.
• Optimize profiler architecture: backpressure, dynamic worker scaling, true multiprocessing.
• Reduce false positives for "public IPs outside of localnet" evidence.
• Reduce the number of duplicate port scan evidence by using a log scale.
• Speed up Github CI testing.
• Speed up Slips processing and reduce RAM usage.
• Suppress duplicate “unknown port” evidence for every scanned port when a portscan is detected.
• Fix the evidence button in the Web UI.

v1.1.16

• Add an alerts visualiser web interface for TAXII servers.
• Change the usage of the -g option; now Slips requires the interface name to monitor when using -g.
• Drop support for the dynamic reloading of the whitelist.
• Evidence handler and whitelist speedup by using bloom filters.
• Fix false positive evidence on connection to IP outside local network when the IP is multicast.
• Fix P2P unable to connect to the Redis database when using -m.
• Fix problem reporting evidence when Slips is monitoring one interface.
• Handle Slips and iptables failovers when running Slips as an access point in the Raspberry Pi.

v1.1.15

• Support monitoring two interfaces when Slips is running as an access point.
• Improve running slips on a growing zeek directory (using -g): Slips can now detect the used interface, host IP and gateway IP.

v1.1.14

• Security Patch for CVE-2025-49844: Force use of Redis version 8.2.2

v1.1.13

• Add detection for DNS answers of malicious DNS queries.
• Add support for Zeek v8.0.0.
• Speed up evidence processing in Slips.
• Update Python dependencies.

v1.1.12

• Better filtering of attacks in the ARP poisoner filter.
• Cache ARP scan results to avoid flooding the network with ARP packets.
• Exclude poisoning the gateway using the ARP poisoner.
• Increase the delay between ARP poisoning attempts to avoid flooding the network.
• Local P2P trust model improvements.

v1.1.11

• Fix the local P2P trust model.
• Fix SQLite cursor errors.
• Avoid setting an alert about own IP and other Slips peers when ARP poisoning attackers.