Aegis is a .NET Console application designed to read raw alert files generated by the Snort IDS system and provide contextual real-time insights into the raw alerts generated from network traffic with the ability to ask questions about your data in natural language. This tool enhances the incident response process by analyzing and contextualizing alerts, offering actionable recommendations and comprehensive reports that can be automated.
- .NET Core: For building the console application.
- Snort IDS: Utilized with community rules to generate raw alert files that are analyzed by Aegis. Malicous Network Traffic example used.
- llama.cpp: For hosting an LLM server.
- Milvus Database: A vector database used for efficient storage and retrieval of embeddings.
- Meta-Llama-3.1-8B-Instruct-abliterated-GGUF: An LLM model from Hugging Face, providing the core language processing capabilities.
- nomic-embed-text-v1.5-GGUF: An embeddings model from Hugging Face, used for generating embeddings to enhance search and analysis capabilities.
- Real-time Analysis: Processes raw alert files from Snort and provides immediate insights.
- Contextual Reporting: Generates detailed reports with context about the source IP, data involved, historical activity, and more.
- Actionable Recommendations: Suggests steps for mitigating threats and enhancing security measures.
- Integration with Threat Intelligence: Correlates alerts with threat intelligence feeds to identify and respond to potential threats.
During an incident, Aegis helps by:
- Analyzing Events: Providing context about the source IP, the data involved, and historical activity related to the affected systems by customizng the parsing of raw alert data in the ReadSnortlogs.cs file.
- Generating Reports: Creating detailed incident reports that include:
- A detailed description of the incident.
- Recommendations for further action, such as tightening firewall rules and monitoring for similar activities.
After an attack, Aegis can:
- Analyze Logs: Review logs and other data to create a post-incident report.
- Generate Comprehensive Reports: Including:
- A timeline of the attack.
- Techniques used by the attackers.
- Vulnerabilities exploited.
- Recommendations for patching and improving security measures to prevent future attacks.
Aegis enhances threat detection by:
- Ingesting Threat Feeds: Correlating internal data with external threat intelligence feeds.
- Identifying Potential Threats: Analyzing network logs to determine if there are signs of attempted exploitation.
- Generating Threat Reports: Highlighting:
- The vulnerability details.
- Evidence of any exploitation attempts.
- Recommended mitigation steps.
- .NET Core SDK
- Llama.cpp or any LLM Server with openAI api syntax. Llama.cpp has given me the best performance.
- Any GGUF LLM model of your choosing. This was tested with Meta-Llama-3.1-8B-Instruct-abliterated-GGUF:
- Alert logs in snort syntax
-
Clone the repository:
git clone https://github.com/yourusername/aegis.git
-
Navigate to the project directory:
cd aegis -
Adjust the file paths to ensure they are correctly referencing your files.
-
Build the project:
dotnet build
-
Configure LLM server to port 1234 or adjust in the Program.cs file the URLs are defined at the top of the file.
.\llama-server.exe -m .\meta-llama-3.1-8b-instruct-abliterated.Q5_K_M.gguf --port 1234
Contributions are welcome! Please open an issue or submit a pull request for any improvements or bug fixes.
This project is licensed under the MIT License.