SekiDesu01/firewall-roulette
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

new file: .gitignore

Browse Source 
modified:   README.md
	new file:   app/dashboard.py
	new file:   app/main.py
	new file:   docker-compose.yml
	new file:   snort/local.rules
	new file:   snort/snort-logs/soc_actions.log
	new file:   snort/snort.lua
	new file:   snort/snort3-community.rules
This commit is contained in:
SekiDesu0
2026-05-29 21:22:34 -04:00
parent 03544b828d
commit 19c23117b9
9 changed files with 4923 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
snort/snort-logs/soc_actions.log Normal file
View File

@@ -0,0 +1,30 @@
SOC Action Log Initialized.
Waiting for Snort to create /var/log/snort/alert_json.txt...
Log found. Tailing for alerts...
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis:
The alert shows an external IP (77.247.97.72) attacking an internal IP (192.168.1.225) on port 8080 via TCP. The source IP is a valid external address, and the destination is within the protected 192.168.1.0/24 network. All conditions are met to generate a block rule.
I'll create a Snort 3 drop rule that precisely matches the specified syntax:
LLM generated rule: drop tcp 77.247.97.72 any -> 192.168.1.225 8080 (msg:"LLM Block"; sid:1000001; rev:1;)
Rule successfully appended to local.rules.
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis of the alert payload:
The alert shows an external IP (45.33.32.156) scanning an internal host (192.168.1.50) on port 80 using TCP. The source IP is a clear, non-local external IP address, and it's targeting a specific internal network host. This meets all the criteria for generating a blocking Snort rule. I will create a rule to drop TCP traffic from this specific external attacker IP to the internal destination.
LLM generated rule: drop tcp 45.33.32.156 any -> 192.168.1.50 80 (msg:"LLM Block"; sid:1000002; rev:1;)
Rule successfully appended to local.rules.
Sent alert to Discord successfully.
Asking LLM for a block rule...
LLM Reasoning: Analysis of the alert payload:
- The source IP (21.154.103.61) is a valid external IP address
- The destination is within the protected 192.168.1.0/24 network
- The protocol is UDP
- Destination port is 80
- This meets all the criteria for generating a block rule
I will generate a Snort 3 drop rule to block UDP traffic from this specific external attacker to the internal network:
LLM generated rule: drop udp 21.154.103.61 any -> 192.168.1.53 80 (msg:"LLM Block"; sid:1000003; rev:1;)
Rule successfully appended to local.rules.