Firewall Roulette

An experimental AI-powered Intrusion Prevention System (IPS) that occasionally tries to ban your own router.

Firewall Roulette is a Proof of Concept (PoC) research project that integrates Snort 3, a custom Python middleware, and a Large Language Model (Claude 3.5 Haiku via OpenRouter) to automatically generate and apply firewall block rules in real-time.

Spoiler alert: Giving an LLM direct write access to your local firewall rules is a terrible, hilarious idea. This repository serves as empirical proof of why deterministic security tools are still the gold standard.

---

The "Why You Shouldn't Use This in Production" Findings

During the development and testing of this automated SOC, the LLM repeatedly demonstrated why AI is currently unfit to handle raw network perimeter defense without massive amounts of hardcoded "babysitting":

1. Friendly Fire (Lack of Spatial Awareness): Despite strict prompt constraints defining the local subnet (192.168.1.0/24), the LLM would frequently panic at standard internal background noise (like ICMP pings or mDNS broadcasts) and attempt to quarantine the local gateway or isolate the host machine.
2. Fatal Syntactic Hallucinations: The LLM would occasionally invent nonexistent network protocols (e.g., drop eth 0 -> 0 0). Because Snort strictly validates rules on reload, a single AI hallucination would crash the entire intrusion detection engine.
3. Ghost Hunting (The Ephemeral Port Problem): Rather than blocking an attacker's IP broadly or targeting the compromised service port, the LLM would often hardcode the attacker's randomized ephemeral source port. By the time the rule was deployed, the attacker was already using a different port, rendering the block useless.

Conclusion: We had to write so much static Python logic to prevent the AI from destroying the network that the AI itself became redundant. Use CrowdSec or Suricata instead.

---

Architecture

1. Snort 3 Engine: Listens to the network interface, detects anomalies via community rulesets, and outputs JSON alerts.
2. Webhook Shipper (main.py): A Python daemon that tails the Snort log, aggressively filters out local noise to save API tokens, alerts Discord, and passes external threat payloads to the LLM via tool-calling.
3. The LLM (Claude 3.5 Haiku): Analyzes the payload and triggers a Python tool to write a strictly formatted Snort drop rule.
4. FastAPI Dashboard (dashboard.py): A local web UI for simulating attacks, visualizing the active rule ledger, and reading the LLM's internal thought process in real-time.

---

Installation & Usage

1. Requirements

• Docker & Docker Compose (or a manager like Portainer)
• An OpenRouter API Key
• A Discord Webhook URL (optional, for alerts)

2. Setup

Clone the repository and set up the required placeholder files:

git clone [https://gitea.sekidesu.xyz/SekiDesu01/firewall-roulette.git](https://gitea.sekidesu.xyz/SekiDesu01/firewall-roulette.git)
cd firewall-roulette
mkdir snort-logs
touch local.rules
touch snort-logs/soc_actions.log

Create a .env file for your API keys:

WEBHOOK_URL="[https://discord.com/api/webhooks/your-webhook](https://discord.com/api/webhooks/your-webhook)"
OPENROUTER_API_KEY="sk-or-v1-your-key-here"

3. Deploy

Start the stack using Docker Compose:

docker compose up -d

4. Access the Dashboard

Open your browser and navigate to:

http://localhost:5050

From here, you can use Chaos Mode to inject random external attacks into the pipeline and watch the LLM try (and sometimes fail) to write valid blocking rules in real-time.

---

🛠️ Tech Stack

• Engine: Snort 3
• Middleware/Dashboard: Python 3.11, FastAPI, Uvicorn, Requests
• Frontend: HTML5, TailwindCSS (via CDN), Vanilla JS
• AI: Claude-3.5-Haiku via OpenRouter API

---

📝 License

AGPL License. Do whatever you want with this, but please do not deploy it on a corporate network unless you want to get fired.