From 6f7e99639cb0038ad3aa855938588b3838ef6d91 Mon Sep 17 00:00:00 2001 From: Spencer Date: Sat, 23 Aug 2025 19:03:40 -0500 Subject: [PATCH] Attempting to remove the LLM out of processing --- .gitignore | 2 +- PROGRESS.md | 16 ++ monitor_agent.py | 140 ++++++++++------- monitoring_agent.log.2025-08-21 | 262 -------------------------------- 4 files changed, 106 insertions(+), 314 deletions(-) delete mode 100644 monitoring_agent.log.2025-08-21 diff --git a/.gitignore b/.gitignore index 366a307..346dced 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,4 @@ __pycache__/ monitoring_data.json log_position.txt auth_log_position.txt -monitoring_agent.log +monitoring_agent.log* diff --git a/PROGRESS.md b/PROGRESS.md index ece0cb6..5e42e5f 100644 --- a/PROGRESS.md +++ b/PROGRESS.md @@ -78,3 +78,19 @@ ## TODO +## Phase 7: Offloading Analysis from LLM + +39. [x] Create a new function `analyze_data_locally` in `monitor_agent.py`. + 39.1. [x] This function will take `data`, `baselines`, `known_issues`, and `port_applications` as input. + 39.2. [x] It will contain the logic to compare current data with baselines and predefined thresholds. + 39.3. [x] It will be responsible for identifying anomalies for various metrics (CPU/GPU temp, network RTT, failed logins, Nmap changes). + 39.4. [x] It will return a list of dictionaries, where each dictionary represents an anomaly and contains 'severity' and 'reason' keys. +40. [x] Refactor `analyze_data_with_llm` into a new function called `generate_llm_report`. + 40.1. [x] This function will take the list of anomalies from `analyze_data_locally` as input. + 40.2. [x] It will construct a simple prompt to ask the LLM to generate a human-readable summary of the anomalies. + 40.3. [x] The LLM will no longer be making analytical decisions. +41. [x] Update `run_monitoring_cycle` to orchestrate the new workflow. + 41.1. [x] Call `analyze_data_locally` to get the list of anomalies. + 41.2. [x] If anomalies are found, call `generate_llm_report` to create the report. + 41.3. [x] Use the output of `generate_llm_report` for alerting. +42. [x] Remove the detailed analytical instructions from `build_llm_prompt` as they will be handled by `analyze_data_locally`. \ No newline at end of file diff --git a/monitor_agent.py b/monitor_agent.py index 54ca22e..197b4e2 100644 --- a/monitor_agent.py +++ b/monitor_agent.py @@ -192,73 +192,102 @@ def get_nmap_scan_results(): logger.error(f"Error performing Nmap scan: {e}") return {"error": "Nmap scan failed"} -# --- LLM Interaction Function --- +# --- Data Analysis --- -def build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues, port_applications): - """Builds the prompt for the LLM analysis.""" - return f""" - **Role:** You are a dedicated and expert system administrator. Your primary role is to identify anomalies and provide concise, actionable reports. +def analyze_data_locally(data, baselines, known_issues, port_applications): + """Analyzes the collected data to find anomalies without using an LLM.""" + anomalies = [] - **Instruction:** Analyze the following system and network data for any activity that appears out of place or different. Consider unusual values, errors, or unexpected patterns as anomalies. Compare the current data with the historical baseline data to identify significant deviations. Consult the known issues feed to avoid flagging resolved or expected issues. Pay special attention to the Nmap scan results for any new or unexpected open ports. Pay special attention to network RTT fluctuations, but only report them as an anomaly if the fluctuation is greater than 10 seconds. Similarly, only report temperature fluctuations if the difference is greater than 5 degrees. + # Temperature checks + cpu_temp = data.get("cpu_temperature", {}).get("cpu_temperature") + gpu_temp = data.get("gpu_temperature", {}).get("gpu_temperature") + baseline_cpu_temp = baselines.get("average_cpu_temperature") + baseline_gpu_temp = baselines.get("average_gpu_temperature") - **Context:** - Here is the system data in JSON format for your analysis: {json.dumps(data, indent=2)} + if isinstance(cpu_temp, (int, float)) and isinstance(baseline_cpu_temp, (int, float)): + if abs(cpu_temp - baseline_cpu_temp) > 5: + anomalies.append({ + "severity": "medium", + "reason": f"CPU temperature deviation detected. Current: {cpu_temp}°C, Baseline: {baseline_cpu_temp}°C" + }) - **Historical Baseline Data:** - {json.dumps(baselines, indent=2)} + if isinstance(gpu_temp, (int, float)) and isinstance(baseline_gpu_temp, (int, float)): + if abs(gpu_temp - baseline_gpu_temp) > 5: + anomalies.append({ + "severity": "medium", + "reason": f"GPU temperature deviation detected. Current: {gpu_temp}°C, Baseline: {baseline_gpu_temp}°C" + }) - **Nmap Scan Changes:** - {json.dumps(nmap_changes, indent=2)} + # Network RTT check + current_rtt = data.get("network_metrics", {}).get("rtt_avg") + baseline_rtt = baselines.get("average_rtt_avg") - **Known Issues Feed:** - {json.dumps(known_issues, indent=2)} + if isinstance(current_rtt, (int, float)) and isinstance(baseline_rtt, (int, float)): + if abs(current_rtt - baseline_rtt) > 10000: + anomalies.append({ + "severity": "high", + "reason": f"High network RTT fluctuation detected. Current: {current_rtt}ms, Baseline: {baseline_rtt}ms" + }) - **Known Port Applications:** - {json.dumps(port_applications, indent=2)} + # Failed login attempts check + failed_logins = data.get("login_attempts", {}).get("failed_login_attempts") + if failed_logins: + anomalies.append({ + "severity": "high", + "reason": f"{len(failed_logins)} failed login attempts detected." + }) - **Constraints and Guidelines:** - {constraints} - - **Output Request:** If you find an anomaly, provide a report as a single JSON object with two keys: "severity" and "reason". The "severity" must be one of "high", "medium", "low", or "none". The "reason" must be a natural language explanation of the anomaly. Please include specific values if the anomoly has them. If no anomaly is found, return a single JSON object with "severity" set to "none" and "reason" as an empty string. Do not wrap the JSON in markdown or any other formatting. Only return the JSON, and nothing else. - - - **Reasoning Hint:** Think step by step to come to your conclusion. This is very important. - """ - -def analyze_data_with_llm(data, baselines): - """Analyzes data with the local LLM.""" - with open("CONSTRAINTS.md", "r") as f: - constraints = f.read() - - with open("known_issues.json", "r") as f: - known_issues = json.load(f) - - with open("port_applications.json", "r") as f: - port_applications = json.load(f) - - # Compare current nmap results with baseline - nmap_changes = {"new_hosts": [], "changed_ports": {}} + # Nmap scan changes check if "nmap_results" in data and "host_ports" in baselines: current_hosts_info = {host['ip']: host for host in data["nmap_results"].get("hosts", [])} current_hosts = set(current_hosts_info.keys()) baseline_hosts = set(baselines["host_ports"].keys()) # New hosts - nmap_changes["new_hosts"] = sorted(list(current_hosts - baseline_hosts)) + new_hosts = sorted(list(current_hosts - baseline_hosts)) + for host in new_hosts: + anomalies.append({ + "severity": "high", + "reason": f"New host detected on the network: {host}" + }) # Changed ports on existing hosts for host_ip in current_hosts.intersection(baseline_hosts): current_ports = set(p['port'] for p in current_hosts_info[host_ip].get("open_ports", [])) - baseline_ports = set(baselines["host_ports"].get(host_ip, [])) newly_opened = sorted(list(current_ports - baseline_ports)) - newly_closed = sorted(list(baseline_ports - current_ports)) + + for port in newly_opened: + port_info = port_applications.get(str(port), "Unknown") + anomalies.append({ + "severity": "medium", + "reason": f"New port opened on {host_ip}: {port} ({port_info})" + }) - if newly_opened or newly_closed: - nmap_changes["changed_ports"][host_ip] = {"opened": newly_opened, "closed": newly_closed} + return anomalies - prompt = build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues, port_applications) +# --- LLM Interaction Function --- + +def build_llm_prompt(anomalies): + """Builds the prompt for the LLM to generate a report from anomalies.""" + return f""" + **Role:** You are a dedicated and expert system administrator. Your primary role is to provide a concise, actionable report based on a list of pre-identified anomalies. + + **Instruction:** Please synthesize the following list of anomalies into a single, human-readable report. The report should be a single JSON object with two keys: "severity" and "reason". The "severity" should be the highest severity from the list of anomalies. The "reason" should be a summary of all the anomalies. + + **Anomalies:** + {json.dumps(anomalies, indent=2)} + + **Output Request:** Provide a report as a single JSON object with two keys: "severity" and "reason". The "severity" must be one of "high", "medium", "low", or "none". The "reason" must be a natural language explanation of the anomaly. If no anomaly is found, return a single JSON object with "severity" set to "none" and "reason" as an empty string. Do not wrap the JSON in markdown or any other formatting. Only return the JSON, and nothing else. + """ + +def generate_llm_report(anomalies): + """Generates a report from a list of anomalies using the local LLM.""" + if not anomalies: + return {"severity": "none", "reason": ""} + + prompt = build_llm_prompt(anomalies) try: response = ollama.generate(model="llama3.1:8b", prompt=prompt) @@ -391,13 +420,22 @@ def run_monitoring_cycle(nmap_scan_counter): data_storage.store_data(combined_data) - llm_response = analyze_data_with_llm(combined_data, data_storage.calculate_baselines()) + with open("known_issues.json", "r") as f: + known_issues = json.load(f) - if llm_response and llm_response.get('severity') != "none": - daily_events.append(llm_response.get('reason')) - if llm_response.get('severity') == "high" and is_alerting_time(): - send_discord_alert(llm_response, combined_data) - send_google_home_alert(llm_response.get('reason')) + with open("port_applications.json", "r") as f: + port_applications = json.load(f) + + baselines = data_storage.calculate_baselines() + anomalies = analyze_data_locally(combined_data, baselines, known_issues, port_applications) + + if anomalies: + llm_response = generate_llm_report(anomalies) + if llm_response and llm_response.get('severity') != "none": + daily_events.append(llm_response.get('reason')) + if llm_response.get('severity') == "high" and is_alerting_time(): + send_discord_alert(llm_response, combined_data) + send_google_home_alert(llm_response.get('reason')) return nmap_scan_counter def main(): @@ -414,4 +452,4 @@ def main(): time.sleep(300) # Run every 5 minutes if __name__ == "__main__": - main() \ No newline at end of file + main() diff --git a/monitoring_agent.log.2025-08-21 b/monitoring_agent.log.2025-08-21 deleted file mode 100644 index 52c13d3..0000000 --- a/monitoring_agent.log.2025-08-21 +++ /dev/null @@ -1,262 +0,0 @@ -2025-08-21 12:13:49,398 - INFO - Running in test mode... -2025-08-21 12:13:49,398 - INFO - Running monitoring cycle... -2025-08-21 12:13:51,451 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:17:01,027 - INFO - Running in test mode... -2025-08-21 12:17:01,028 - INFO - Running monitoring cycle... -2025-08-21 12:17:03,081 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:17:27,908 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 has been open for a significant margin (delta value > 10) which could indicate unauthorized access or malicious activity.'} -2025-08-21 12:17:28,261 - INFO - Discord alert sent successfully. -2025-08-21 12:17:29,787 - INFO - Google Home alert sent successfully. -2025-08-21 12:25:11,136 - INFO - Running in test mode... -2025-08-21 12:25:11,136 - INFO - Running monitoring cycle... -2025-08-21 12:25:13,191 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:25:53,246 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 135 and 2179 are open on host 192.168.2.116, which may indicate a potential vulnerability.'} -2025-08-21 12:25:53,247 - INFO - is_alerting_time check: returning True for testing -2025-08-21 12:25:53,516 - INFO - Discord alert sent successfully. -2025-08-21 12:25:55,036 - INFO - Google Home alert sent successfully. -2025-08-21 12:28:47,747 - INFO - Running in test mode... -2025-08-21 12:28:47,747 - INFO - Running monitoring cycle... -2025-08-21 12:28:49,803 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:31:53,625 - INFO - LLM Response: {'severity': 'low', 'reason': 'Port 62078 was previously open, but is now closed on host 192.168.2.117.'} -2025-08-21 12:33:10,733 - INFO - Running in test mode... -2025-08-21 12:33:10,733 - INFO - Running monitoring cycle... -2025-08-21 12:33:12,784 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:33:39,931 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 12:34:41,548 - INFO - Running in test mode... -2025-08-21 12:34:41,549 - INFO - Running monitoring cycle... -2025-08-21 12:34:43,602 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. -2025-08-21 12:35:10,189 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 12:38:03,773 - INFO - Running in test mode... -2025-08-21 12:38:03,773 - INFO - Running monitoring cycle... -2025-08-21 12:46:43,806 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 13:22:20,796 - INFO - Running monitoring cycle... -2025-08-21 13:23:35,642 - INFO - LLM Response: {'severity': 'high', 'reason': 'Several closed ports on 192.168.2.114 have been detected in the Nmap Scan Changes: The ports that were previously open but are now closed are [2222, 3000, 5678, 8001, 8083, 8085, 8088, 8089, 8181, 8888]. This could indicate a security risk as it may be indicative of an external entity attempting to access internal services or resources.'} -2025-08-21 13:23:35,921 - INFO - Discord alert sent successfully. -2025-08-21 13:23:38,116 - INFO - Google Home alert sent successfully. -2025-08-21 13:28:38,117 - INFO - Running monitoring cycle... -2025-08-21 13:29:00,916 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 13:34:00,916 - INFO - Running monitoring cycle... -2025-08-21 13:34:23,658 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 13:39:23,658 - INFO - Running monitoring cycle... -2025-08-21 13:39:47,690 - INFO - LLM Response: {'severity': 'high', 'reason': 'The current RTT average (19.725) is significantly higher than the historical baseline value (19), with a difference of 0.725 seconds, which exceeds the 10-second threshold.'} -2025-08-21 13:39:47,998 - INFO - Discord alert sent successfully. -2025-08-21 13:39:49,884 - INFO - Google Home alert sent successfully. -2025-08-21 13:44:49,884 - INFO - Running monitoring cycle... -2025-08-21 13:51:42,600 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was found open on host 192.168.2.104, which is not a critical issue but should be monitored.'} -2025-08-21 13:56:42,601 - INFO - Running monitoring cycle... -2025-08-21 13:57:05,364 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 14:02:05,364 - INFO - Running monitoring cycle... -2025-08-21 14:02:28,186 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 14:07:28,186 - INFO - Running monitoring cycle... -2025-08-21 14:07:52,473 - INFO - LLM Response: {'severity': 'high', 'reason': 'CPU temperature has reached a critical value of 80 degrees Celsius, which is higher than the average baseline value of 82 degrees. This may indicate overheating and potential hardware damage.'} -2025-08-21 14:07:52,721 - INFO - Discord alert sent successfully. -2025-08-21 14:07:54,214 - INFO - Google Home alert sent successfully. -2025-08-21 14:12:54,215 - INFO - Running monitoring cycle... -2025-08-21 14:14:48,339 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 14:19:48,339 - INFO - Running monitoring cycle... -2025-08-21 14:20:12,301 - INFO - LLM Response: {'severity': 'high', 'reason': 'The average round trip time (RTT) has increased significantly from the historical baseline of 19ms to 27.927ms, indicating a potential issue with network connectivity.'} -2025-08-21 14:20:12,596 - INFO - Discord alert sent successfully. -2025-08-21 14:20:14,222 - INFO - Google Home alert sent successfully. -2025-08-21 14:25:14,222 - INFO - Running monitoring cycle... -2025-08-21 14:25:38,561 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT (Round Trip Time) fluctuation of 0.336 seconds between minimum and maximum values exceeds the average baseline value, but does not exceed the threshold for significant margin.'} -2025-08-21 14:30:38,561 - INFO - Running monitoring cycle... -2025-08-21 14:31:02,101 - INFO - LLM Response: {'severity': 'high', 'reason': 'The CPU temperature of 82 degrees exceeds the average temperature by a significant margin (delta value: +0).'} -2025-08-21 14:31:02,305 - INFO - Discord alert sent successfully. -2025-08-21 14:31:03,270 - INFO - Google Home alert sent successfully. -2025-08-21 14:36:03,270 - INFO - Running monitoring cycle... -2025-08-21 14:38:11,837 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 has been closed unexpectedly, which may indicate a security issue or a change in system configuration.'} -2025-08-21 14:38:12,063 - INFO - Discord alert sent successfully. -2025-08-21 14:38:13,086 - INFO - Google Home alert sent successfully. -2025-08-21 14:43:13,086 - INFO - Running monitoring cycle... -2025-08-21 14:43:35,862 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 14:48:35,864 - INFO - Running monitoring cycle... -2025-08-21 14:48:58,650 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 14:53:58,650 - INFO - Running monitoring cycle... -2025-08-21 14:54:22,771 - INFO - LLM Response: {'severity': 'high', 'reason': 'The current CPU temperature (81.0°C) exceeds the average CPU temperature by a significant margin of 1.0°C, which is greater than the allowed fluctuation threshold of 5°C.'} -2025-08-21 14:54:23,089 - INFO - Discord alert sent successfully. -2025-08-21 14:54:24,648 - INFO - Google Home alert sent successfully. -2025-08-21 14:59:24,649 - INFO - Running monitoring cycle... -2025-08-21 15:02:53,241 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The port 62078 is open on host 192.168.2.119, which was previously closed and had a high number of closed ports.'} -2025-08-21 15:07:53,242 - INFO - Running monitoring cycle... -2025-08-21 15:08:16,292 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:13:16,293 - INFO - Running monitoring cycle... -2025-08-21 15:13:39,106 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:18:39,107 - INFO - Running monitoring cycle... -2025-08-21 15:19:01,901 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:24:01,902 - INFO - Running monitoring cycle... -2025-08-21 15:26:36,387 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously reported as a known issue, but it has been re-opened on host 192.168.2.106, which could indicate a new anomaly.'} -2025-08-21 15:31:36,387 - INFO - Running monitoring cycle... -2025-08-21 15:31:59,832 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT maximum value of 24.201 seconds exceeds the historical average of 19 seconds.'} -2025-08-21 15:36:59,833 - INFO - Running monitoring cycle... -2025-08-21 15:37:22,612 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:42:22,612 - INFO - Running monitoring cycle... -2025-08-21 15:42:45,403 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:47:45,404 - INFO - Running monitoring cycle... -2025-08-21 15:49:10,394 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:54:10,394 - INFO - Running monitoring cycle... -2025-08-21 15:54:33,205 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 15:59:33,206 - INFO - Running monitoring cycle... -2025-08-21 15:59:57,148 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current CPU temperature (81.0) has increased by 0 degrees compared to the average CPU temperature, which could be a sign of unusual system load or overheating.'} -2025-08-21 16:04:57,149 - INFO - Running monitoring cycle... -2025-08-21 16:05:21,119 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The average Round Trip Time (RTT) has increased from 19 to 20.475 seconds, exceeding the historical baseline by a significant margin of over 1 second.'} -2025-08-21 16:10:21,120 - INFO - Running monitoring cycle... -2025-08-21 16:11:35,976 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:16:35,976 - INFO - Running monitoring cycle... -2025-08-21 16:16:58,822 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:21:58,823 - INFO - Running monitoring cycle... -2025-08-21 16:22:22,761 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current RTT average (21.121) is higher than the historical baseline (19). The difference is greater than 1 second, which is a significant margin.'} -2025-08-21 16:27:22,762 - INFO - Running monitoring cycle... -2025-08-21 16:27:45,565 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:32:45,565 - INFO - Running monitoring cycle... -2025-08-21 16:35:00,574 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:40:00,574 - INFO - Running monitoring cycle... -2025-08-21 16:40:24,425 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The CPU temperature (84.0) exceeds the average CPU temperature (81.0) by more than 5 degrees, indicating a potential issue with system cooling.'} -2025-08-21 16:45:24,426 - INFO - Running monitoring cycle... -2025-08-21 16:45:47,265 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:50:47,266 - INFO - Running monitoring cycle... -2025-08-21 16:51:10,061 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 16:56:10,061 - INFO - Running monitoring cycle... -2025-08-21 16:58:31,462 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been opened on multiple hosts (192.168.2.106, 192.168.2.114, and 192.168.2.122), which may indicate a potential security risk.'} -2025-08-21 17:03:31,463 - INFO - Running monitoring cycle... -2025-08-21 17:03:54,319 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 17:08:54,319 - INFO - Running monitoring cycle... -2025-08-21 17:09:17,101 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 17:14:17,101 - INFO - Running monitoring cycle... -2025-08-21 17:14:40,139 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 17:19:40,139 - INFO - Running monitoring cycle... -2025-08-21 17:54:27,038 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 17:59:27,039 - INFO - Running monitoring cycle... -2025-08-21 17:59:49,784 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:04:49,784 - INFO - Running monitoring cycle... -2025-08-21 18:05:12,550 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:10:12,551 - INFO - Running monitoring cycle... -2025-08-21 18:10:35,310 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:15:35,310 - INFO - Running monitoring cycle... -2025-08-21 18:19:25,358 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously closed, but is now open on host 192.168.2.119, which may indicate a new service or device has been added to the network without proper configuration.'} -2025-08-21 18:24:25,358 - INFO - Running monitoring cycle... -2025-08-21 18:24:47,299 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:29:47,300 - INFO - Running monitoring cycle... -2025-08-21 18:30:09,283 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:35:09,283 - INFO - Running monitoring cycle... -2025-08-21 18:35:31,265 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:40:31,265 - INFO - Running monitoring cycle... -2025-08-21 18:41:26,294 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was found open on multiple hosts (192.168.2.104, 102, and 121), which is a known issue as per the Known Issues Feed.'} -2025-08-21 18:46:26,294 - INFO - Running monitoring cycle... -2025-08-21 18:46:48,828 - INFO - LLM Response: {'severity': 'high', 'reason': 'Network Round Trip Time (RTT) fluctuation greater than 10 seconds'} -2025-08-21 18:46:49,059 - INFO - Discord alert sent successfully. -2025-08-21 18:46:50,060 - INFO - Google Home alert sent successfully. -2025-08-21 18:51:50,060 - INFO - Running monitoring cycle... -2025-08-21 18:52:12,022 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 18:57:12,022 - INFO - Running monitoring cycle... -2025-08-21 18:57:35,391 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The average Round Trip Time (RTT) has increased from 20 to 19.998, which may indicate a potential network issue. The fluctuation in RTT is greater than 10 seconds.'} -2025-08-21 19:02:35,392 - INFO - Running monitoring cycle... -2025-08-21 19:03:26,652 - INFO - LLM Response: {'severity': 'high', 'reason': 'Access attempts from unknown IP Addresses have been detected, which may indicate unauthorized access to the network.'} -2025-08-21 19:03:27,170 - INFO - Discord alert sent successfully. -2025-08-21 19:03:28,158 - INFO - Google Home alert sent successfully. -2025-08-21 19:08:28,159 - INFO - Running monitoring cycle... -2025-08-21 19:08:51,162 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current RTT average of 19.783 is significantly lower than the historical baseline average of 20, indicating a potential anomaly in network latency.'} -2025-08-21 19:13:51,163 - INFO - Running monitoring cycle... -2025-08-21 19:14:14,117 - INFO - LLM Response: {'severity': 'medium', 'reason': 'RTT max value of 21.675 seconds is significantly higher than the average RTT (20 seconds), which could indicate a potential network issue.'} -2025-08-21 19:19:14,117 - INFO - Running monitoring cycle... -2025-08-21 19:19:37,063 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The RTT_max value of 21.03 is higher than the historical average of 20, indicating a potential issue with network connectivity.'} -2025-08-21 19:24:37,063 - INFO - Running monitoring cycle... -2025-08-21 19:27:57,184 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been open for an extended period of time (older than 24 hours) which could indicate a persistent network connection or issue'} -2025-08-21 19:32:57,185 - INFO - Running monitoring cycle... -2025-08-21 19:33:19,133 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 19:38:19,133 - INFO - Running monitoring cycle... -2025-08-21 19:38:41,093 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 19:43:41,093 - INFO - Running monitoring cycle... -2025-08-21 19:44:03,070 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 19:49:03,070 - INFO - Running monitoring cycle... -2025-08-21 20:04:52,316 - INFO - LLM Response: {'severity': 'medium', 'reason': "Port 62078 has been open for a long time and is not normal behavior. According to the Known Issues Feed, this port being open is normal for Apple devices but we should still report it as an anomaly because it's outside of our specified guidelines."} -2025-08-21 20:09:52,316 - INFO - Running monitoring cycle... -2025-08-21 20:10:14,279 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 20:15:14,279 - INFO - Running monitoring cycle... -2025-08-21 20:15:36,270 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 20:20:36,270 - INFO - Running monitoring cycle... -2025-08-21 20:20:58,283 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 20:25:58,283 - INFO - Running monitoring cycle... -2025-08-21 20:27:16,630 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 is open on host 192.168.2.113, which according to the Known Issues Feed is normal behavior for Apple devices and should not be reported.'} -2025-08-21 20:32:16,631 - INFO - Running monitoring cycle... -2025-08-21 20:32:38,981 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 20:37:38,982 - INFO - Running monitoring cycle... -2025-08-21 20:38:03,124 - INFO - LLM Response: {'severity': 'medium', 'reason': 'RTT fluctuation is greater than the threshold of 10 seconds (rtt_min: 19.895, rtt_avg: 20.525, rtt_max: 21.583). This indicates a potential network issue that should be investigated further.'} -2025-08-21 20:43:03,124 - INFO - Running monitoring cycle... -2025-08-21 20:43:25,532 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 20:48:25,532 - INFO - Running monitoring cycle... -2025-08-21 20:50:27,309 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 was open on 192.168.2.113 for an unknown reason which could indicate malware or unauthorized access.'} -2025-08-21 20:50:27,639 - INFO - Discord alert sent successfully. -2025-08-21 20:50:29,013 - INFO - Google Home alert sent successfully. -2025-08-21 20:55:29,013 - INFO - Running monitoring cycle... -2025-08-21 20:55:51,452 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:00:51,452 - INFO - Running monitoring cycle... -2025-08-21 21:01:14,532 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT maximum value of 25.327 seconds exceeds the average RTT by a significant margin.'} -2025-08-21 21:06:14,532 - INFO - Running monitoring cycle... -2025-08-21 21:06:37,973 - INFO - LLM Response: {'severity': 'high', 'reason': 'The CPU temperature of 86.0 degrees Celsius exceeds the average CPU temperature by more than 5 degrees, which could indicate a potential hardware issue.'} -2025-08-21 21:06:38,271 - INFO - Discord alert sent successfully. -2025-08-21 21:06:39,474 - INFO - Google Home alert sent successfully. -2025-08-21 21:11:39,475 - INFO - Running monitoring cycle... -2025-08-21 21:12:55,020 - INFO - LLM Response: {'severity': 'medium', 'reason': "Port 62078 has been open on multiple hosts, which is normal behavior for Apple devices, but it's reported in the Known Issues Feed as a potential issue."} -2025-08-21 21:17:55,021 - INFO - Running monitoring cycle... -2025-08-21 21:18:17,395 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:23:17,396 - INFO - Running monitoring cycle... -2025-08-21 21:23:40,952 - INFO - LLM Response: {'severity': 'low', 'reason': 'The current CPU temperature of 79.0 degrees is lower than the average CPU temperature of 81 degrees, which may be a normal behavior for CPUs when not in use.'} -2025-08-21 21:28:40,953 - INFO - Running monitoring cycle... -2025-08-21 21:29:03,349 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:34:03,349 - INFO - Running monitoring cycle... -2025-08-21 21:35:02,739 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:40:02,740 - INFO - Running monitoring cycle... -2025-08-21 21:40:26,380 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The RTT (Round Trip Time) average of 21.177 seconds is higher than the historical baseline average of 20 seconds, which could indicate a network congestion or latency issue.'} -2025-08-21 21:45:26,380 - INFO - Running monitoring cycle... -2025-08-21 21:45:49,053 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:50:49,055 - INFO - Running monitoring cycle... -2025-08-21 21:51:11,465 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 21:56:11,466 - INFO - Running monitoring cycle... -2025-08-21 21:57:56,683 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been previously flagged as normal behavior for Apple devices, but it is still open according to the Nmap scan changes.'} -2025-08-21 22:02:56,684 - INFO - Running monitoring cycle... -2025-08-21 22:03:19,110 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 22:08:19,110 - INFO - Running monitoring cycle... -2025-08-21 22:08:41,557 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 22:13:41,557 - INFO - Running monitoring cycle... -2025-08-21 22:14:03,954 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 22:19:03,954 - INFO - Running monitoring cycle... -2025-08-21 22:20:23,329 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously open on multiple hosts (192.168.2.130 and 192.168.2.119), but it has now been closed on the host 192.168.2.114, while remaining open on other hosts.'} -2025-08-21 22:25:23,330 - INFO - Running monitoring cycle... -2025-08-21 22:25:46,540 - INFO - LLM Response: {'severity': 'medium', 'reason': 'CPU temperature has exceeded its historical average by more than 5 degrees, with a current value of 89.0'} -2025-08-21 22:30:46,541 - INFO - Running monitoring cycle... -2025-08-21 22:31:08,948 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 22:36:08,948 - INFO - Running monitoring cycle... -2025-08-21 22:36:31,381 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 22:41:31,381 - INFO - Running monitoring cycle... -2025-08-21 22:44:34,215 - ERROR - Error decoding LLM response: Extra data: line 4 column 4 (char 128) -2025-08-21 22:49:34,215 - INFO - Running monitoring cycle... -2025-08-21 22:49:57,219 - INFO - LLM Response: {'severity': 'high', 'reason': 'A failed login attempt was detected with no explanation as to why it was attempted.'} -2025-08-21 22:49:57,391 - INFO - Discord alert sent successfully. -2025-08-21 22:49:58,556 - INFO - Google Home alert sent successfully. -2025-08-21 22:54:58,556 - INFO - Running monitoring cycle... -2025-08-21 22:55:21,746 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The CPU temperature (84.0 degrees) has increased significantly from its average value of 81.0 degrees.'} -2025-08-21 23:00:21,746 - INFO - Running monitoring cycle... -2025-08-21 23:00:45,196 - INFO - LLM Response: {'severity': 'high', 'reason': 'The packet RTT min value of 65.607 seconds exceeds the historical baseline average of 21 seconds by a significant margin of 44 seconds.'} -2025-08-21 23:00:45,595 - INFO - Discord alert sent successfully. -2025-08-21 23:00:46,843 - INFO - Google Home alert sent successfully. -2025-08-21 23:05:46,844 - INFO - Running monitoring cycle... -2025-08-21 23:14:37,951 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 23:19:37,952 - INFO - Running monitoring cycle... -2025-08-21 23:20:01,560 - INFO - LLM Response: {'severity': 'high', 'reason': 'The RTT fluctuation from the average value of 21 seconds is greater than 10 seconds (min: 19.087, max: 21.499).'} -2025-08-21 23:20:01,794 - INFO - Discord alert sent successfully. -2025-08-21 23:20:03,185 - INFO - Google Home alert sent successfully. -2025-08-21 23:25:03,185 - INFO - Running monitoring cycle... -2025-08-21 23:25:25,606 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 23:30:25,607 - INFO - Running monitoring cycle... -2025-08-21 23:30:48,045 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 23:35:48,045 - INFO - Running monitoring cycle... -2025-08-21 23:37:42,175 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 is open, which is considered an anomaly according to the Known Issues Feed.'} -2025-08-21 23:42:42,175 - INFO - Running monitoring cycle... -2025-08-21 23:43:05,965 - INFO - LLM Response: {'severity': 'high', 'reason': 'Network Round Trip Time (RTT) fluctuation greater than 10 seconds: current RTT max of 28.963 is more than 7.9 seconds above the average baseline RTT'} -2025-08-21 23:43:06,331 - INFO - Discord alert sent successfully. -2025-08-21 23:43:07,869 - INFO - Google Home alert sent successfully. -2025-08-21 23:48:07,869 - INFO - Running monitoring cycle... -2025-08-21 23:48:30,405 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 23:53:30,405 - INFO - Running monitoring cycle... -2025-08-21 23:53:52,856 - INFO - LLM Response: {'severity': 'none', 'reason': ''} -2025-08-21 23:58:52,856 - INFO - Running monitoring cycle...