A small office/home office (SOHO) Intrusion Detection System (IDS) project that leverages Suricata to detect potential network threats and uses an LLM to process and analyze alerts via webhook integration.

This project is designed to relay Suricata alerts, captured in eve.json, to an external webhook and process the alerts through a Language Model for enhanced analysis and interpretation. This setup allows for more intelligent handling of alerts by reducing noise and prioritizing unique or critical events.

• Webhook Integration: Relays Suricata eve.json alerts to an external endpoint.
• Alert Deduplication: Only unique alerts are sent to reduce noise and optimize analysis.
• LLM Processing: Integrates with an LLM to provide insightful summaries and context for each alert.

• prompts/: Contains prompt templates for LLM alert processing.
• scripts/: Includes scripts for parsing eve.json and sending data to the webhook.
• tines/: Ready-to-import Tines story with multiple LLM examples.

• Suricata for generating alerts in eve.json.
• Python 3.x for running scripts.
• An endpoint to receive and process alerts.

In each of the below examples, the raw alert is included in the primary message's 🧵

• Without LLM Processing:

  

• With LLM Processing:

  

This project is licensed under the MIT License.