https://github.com/tyler-tee/soho-ids-relay

A small office/home office (SOHO) Intrusion Detection System (IDS) project that leverages Suricata to detect potential network threats and uses an LLM to process and analyze alerts via webhook integration.
https://github.com/tyler-tee/soho-ids-relay

eve ids llm python soho suricata

Last synced: 4 days ago
JSON representation

A small office/home office (SOHO) Intrusion Detection System (IDS) project that leverages Suricata to detect potential network threats and uses an LLM to process and analyze alerts via webhook integration.

• Host: GitHub
• URL: https://github.com/tyler-tee/soho-ids-relay
• Owner: tyler-tee
• License: mit
• Created: 2024-11-13T21:06:15.000Z (about 1 month ago)
• Default Branch: main
• Last Pushed: 2024-11-22T21:47:24.000Z (about 1 month ago)
• Last Synced: 2024-11-22T22:31:56.642Z (about 1 month ago)
• Topics: eve, ids, llm, python, soho, suricata
• Language: Python
• Homepage:
• Size: 297 KB
• Stars: 0
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

        
# SOHO IDS Relay

![SonarCloud Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=tyler-tee_SOHO-IDS-RELAY&metric=alert_status)

A small office/home office (SOHO) Intrusion Detection System (IDS) project that leverages Suricata to detect potential network threats and uses an LLM to process and analyze alerts via webhook integration.

## Purpose

This project is designed to relay Suricata alerts, captured in `eve.json`, to an external webhook and process the alerts through a Language Model for enhanced analysis and interpretation. This setup allows for more intelligent handling of alerts by reducing noise and prioritizing unique or critical events.

## Features

- **Webhook Integration**: Relays Suricata `eve.json` alerts to an external endpoint.

- **Alert Deduplication**: Only unique alerts are sent to reduce noise and optimize analysis.

- **LLM Processing**: Integrates with an LLM to provide insightful summaries and context for each alert.

## Folder Structure

- `prompts/`: Contains prompt templates for LLM alert processing.

- `scripts/`: Includes scripts for parsing `eve.json` and sending data to the webhook.

- `tines/`: Ready-to-import Tines story with multiple LLM examples.

## Requirements

- Suricata for generating alerts in `eve.json`.

- Python 3.x for running scripts.

- An endpoint to receive and process alerts.

## Tines Story

![Suricata Notification Relay-storyboard](https://github.com/user-attachments/assets/76a18791-6ba3-4e69-9ffd-c2f05272dab5)

## Example Alerts

*In each of the below examples, the raw alert is included in the primary message's 🧵*

  

- Without LLM Processing:

  ![image](https://github.com/user-attachments/assets/bcf820f1-bde9-4e30-80ff-be82b400426e)

- With LLM Processing:

  

  ![image](https://github.com/user-attachments/assets/dfc072e7-81b9-4783-83a9-0fe7a7e7c198)

## License

This project is licensed under the MIT License.