From bebedb1e151dd36eeecaa517a1300badf65a4531 Mon Sep 17 00:00:00 2001 From: Spencer Date: Sat, 23 Aug 2025 16:04:49 -0500 Subject: [PATCH] Trying to help the LLM --- PROGRESS.md | 16 +- config.py | 2 +- data_storage.py | 3 +- monitor_agent.py | 46 ++++-- monitoring_agent.log.2025-08-21 | 262 ++++++++++++++++++++++++++++++++ port_applications.json | 19 +++ requirements.txt | 7 +- test_output.log | 22 +++ 8 files changed, 353 insertions(+), 24 deletions(-) create mode 100644 monitoring_agent.log.2025-08-21 create mode 100644 port_applications.json create mode 100644 test_output.log diff --git a/PROGRESS.md b/PROGRESS.md index 2b97c6a..ece0cb6 100644 --- a/PROGRESS.md +++ b/PROGRESS.md @@ -61,13 +61,10 @@ 37. [x] Update `README.md` with current project status and improvements. 38. [x] Create `AGENTS.md` to document human and autonomous agents. -## Keeping track of Current Objectives - -[x] Improve "high" priority detection by explicitly instructing LLM to output severity in structured JSON format. -[x] Implement dynamic contextual information (Known/Resolved Issues Feed) for LLM to improve severity detection. - -## TODO +## Previous TODO +- [x] Improve "high" priority detection by explicitly instructing LLM to output severity in structured JSON format. +- [x] Implement dynamic contextual information (Known/Resolved Issues Feed) for LLM to improve severity detection. - [x] Change baseline calculations to only use integers instead of floats. - [x] Add a log file that only keeps records for the past 24 hours. - [x] Log all LLM responses to the console. @@ -75,4 +72,9 @@ - [x] Get hostnames of devices in Nmap scan. - [x] Filter out RTT fluctuations below 10 seconds. - [x] Filter out temperature fluctuations with differences less than 5 degrees. -- [ ] Create a list of known port numbers and their applications for the LLM to check against to see if an open port is a threat \ No newline at end of file +- [x] Create a list of known port numbers and their applications for the LLM to check against to see if an open port is a threat +- [x] When calculating averages, please round up to the nearest integer. We only want to deliver whole integers to the LLM to process, and nothing with decimal points. It gets confused with decimal points. +- [x] In the discord message, please include the exact specific details and the log of the problem that prompted the alert + +## TODO + diff --git a/config.py b/config.py index 5ff9aa4..ad2656c 100644 --- a/config.py +++ b/config.py @@ -9,7 +9,7 @@ HOME_ASSISTANT_TOKEN = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJjOGRmZjI GOOGLE_HOME_SPEAKER_ID = "media_player.spencer_room_speaker" # Daily Recap Time (in 24-hour format, e.g., "20:00") -DAILY_RECAP_TIME = "20:00" +DAILY_RECAP_TIME = "18:28" # Nmap Configuration NMAP_TARGETS = "192.168.2.0/24" diff --git a/data_storage.py b/data_storage.py index dd74178..1678a8e 100644 --- a/data_storage.py +++ b/data_storage.py @@ -1,6 +1,7 @@ import json import os from datetime import datetime, timedelta, timezone +import math DATA_FILE = 'monitoring_data.json' @@ -19,7 +20,7 @@ def store_data(new_data): def _calculate_average(data, key1, key2): """Helper function to calculate the average of a nested key in a list of dicts.""" values = [d[key1][key2] for d in data if key1 in d and key2 in d[key1] and d[key1][key2] != "N/A"] - return int(sum(values) / len(values)) if values else 0 + return math.ceil(sum(values) / len(values)) if values else 0 def calculate_baselines(): data = load_data() diff --git a/monitor_agent.py b/monitor_agent.py index 4b70627..54ca22e 100644 --- a/monitor_agent.py +++ b/monitor_agent.py @@ -15,6 +15,8 @@ import nmap import logging from logging.handlers import TimedRotatingFileHandler +import schedule + # Load configuration import config @@ -192,7 +194,7 @@ def get_nmap_scan_results(): # --- LLM Interaction Function --- -def build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues): +def build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues, port_applications): """Builds the prompt for the LLM analysis.""" return f""" **Role:** You are a dedicated and expert system administrator. Your primary role is to identify anomalies and provide concise, actionable reports. @@ -211,6 +213,9 @@ def build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues): **Known Issues Feed:** {json.dumps(known_issues, indent=2)} + **Known Port Applications:** + {json.dumps(port_applications, indent=2)} + **Constraints and Guidelines:** {constraints} @@ -228,6 +233,9 @@ def analyze_data_with_llm(data, baselines): with open("known_issues.json", "r") as f: known_issues = json.load(f) + with open("port_applications.json", "r") as f: + port_applications = json.load(f) + # Compare current nmap results with baseline nmap_changes = {"new_hosts": [], "changed_ports": {}} if "nmap_results" in data and "host_ports" in baselines: @@ -250,7 +258,7 @@ def analyze_data_with_llm(data, baselines): if newly_opened or newly_closed: nmap_changes["changed_ports"][host_ip] = {"opened": newly_opened, "closed": newly_closed} - prompt = build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues) + prompt = build_llm_prompt(data, baselines, nmap_changes, constraints, known_issues, port_applications) try: response = ollama.generate(model="llama3.1:8b", prompt=prompt) @@ -282,8 +290,10 @@ def analyze_data_with_llm(data, baselines): # --- Alerting Functions --- -def send_discord_alert(message): +def send_discord_alert(llm_response, combined_data): """Sends an alert to Discord.""" + reason = llm_response.get('reason', 'No reason provided.') + message = f"**High Severity Alert:**\n> {reason}\n\n**Relevant Data:**\n```json\n{json.dumps(combined_data, indent=2)}\n```" webhook = DiscordWebhook(url=config.DISCORD_WEBHOOK_URL, content=message) try: response = webhook.execute() @@ -332,7 +342,25 @@ def is_alerting_time(): daily_events = [] + +def send_daily_recap(): + """Sends a daily recap of events to Discord.""" + global daily_events + if daily_events: + recap_message = "\n".join(daily_events) + webhook = DiscordWebhook(url=config.DISCORD_WEBHOOK_URL, content=f"**Daily Recap:**\n{recap_message}") + try: + response = webhook.execute() + if response.status_code == 200: + logger.info("Daily recap sent successfully.") + else: + logger.error(f"Error sending daily recap: {response.status_code} - {response.content}") + except Exception as e: + logger.error(f"Error sending daily recap: {e}") + daily_events = [] # Reset for the next day + def run_monitoring_cycle(nmap_scan_counter): + """Runs a single monitoring cycle.""" logger.info("Running monitoring cycle...") system_logs = get_system_logs() @@ -368,7 +396,7 @@ def run_monitoring_cycle(nmap_scan_counter): if llm_response and llm_response.get('severity') != "none": daily_events.append(llm_response.get('reason')) if llm_response.get('severity') == "high" and is_alerting_time(): - send_discord_alert(llm_response.get('reason')) + send_discord_alert(llm_response, combined_data) send_google_home_alert(llm_response.get('reason')) return nmap_scan_counter @@ -378,17 +406,11 @@ def main(): logger.info("Running in test mode...") run_monitoring_cycle(0) else: + schedule.every().day.at(config.DAILY_RECAP_TIME).do(send_daily_recap) nmap_scan_counter = 0 while True: nmap_scan_counter = run_monitoring_cycle(nmap_scan_counter) - - # Daily Recap Logic - current_time = time.strftime("%H:%M") - if current_time == config.DAILY_RECAP_TIME and daily_events: # type: ignore - recap_message = "\n".join(daily_events) - send_discord_alert(f"**Daily Recap:**\n{recap_message}") - daily_events = [] # Reset for the next day - + schedule.run_pending() time.sleep(300) # Run every 5 minutes if __name__ == "__main__": diff --git a/monitoring_agent.log.2025-08-21 b/monitoring_agent.log.2025-08-21 new file mode 100644 index 0000000..52c13d3 --- /dev/null +++ b/monitoring_agent.log.2025-08-21 @@ -0,0 +1,262 @@ +2025-08-21 12:13:49,398 - INFO - Running in test mode... +2025-08-21 12:13:49,398 - INFO - Running monitoring cycle... +2025-08-21 12:13:51,451 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:17:01,027 - INFO - Running in test mode... +2025-08-21 12:17:01,028 - INFO - Running monitoring cycle... +2025-08-21 12:17:03,081 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:17:27,908 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 has been open for a significant margin (delta value > 10) which could indicate unauthorized access or malicious activity.'} +2025-08-21 12:17:28,261 - INFO - Discord alert sent successfully. +2025-08-21 12:17:29,787 - INFO - Google Home alert sent successfully. +2025-08-21 12:25:11,136 - INFO - Running in test mode... +2025-08-21 12:25:11,136 - INFO - Running monitoring cycle... +2025-08-21 12:25:13,191 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:25:53,246 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 135 and 2179 are open on host 192.168.2.116, which may indicate a potential vulnerability.'} +2025-08-21 12:25:53,247 - INFO - is_alerting_time check: returning True for testing +2025-08-21 12:25:53,516 - INFO - Discord alert sent successfully. +2025-08-21 12:25:55,036 - INFO - Google Home alert sent successfully. +2025-08-21 12:28:47,747 - INFO - Running in test mode... +2025-08-21 12:28:47,747 - INFO - Running monitoring cycle... +2025-08-21 12:28:49,803 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:31:53,625 - INFO - LLM Response: {'severity': 'low', 'reason': 'Port 62078 was previously open, but is now closed on host 192.168.2.117.'} +2025-08-21 12:33:10,733 - INFO - Running in test mode... +2025-08-21 12:33:10,733 - INFO - Running monitoring cycle... +2025-08-21 12:33:12,784 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:33:39,931 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 12:34:41,548 - INFO - Running in test mode... +2025-08-21 12:34:41,549 - INFO - Running monitoring cycle... +2025-08-21 12:34:43,602 - WARNING - Nmap -sS scan requires root privileges. Falling back to -sT. +2025-08-21 12:35:10,189 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 12:38:03,773 - INFO - Running in test mode... +2025-08-21 12:38:03,773 - INFO - Running monitoring cycle... +2025-08-21 12:46:43,806 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 13:22:20,796 - INFO - Running monitoring cycle... +2025-08-21 13:23:35,642 - INFO - LLM Response: {'severity': 'high', 'reason': 'Several closed ports on 192.168.2.114 have been detected in the Nmap Scan Changes: The ports that were previously open but are now closed are [2222, 3000, 5678, 8001, 8083, 8085, 8088, 8089, 8181, 8888]. This could indicate a security risk as it may be indicative of an external entity attempting to access internal services or resources.'} +2025-08-21 13:23:35,921 - INFO - Discord alert sent successfully. +2025-08-21 13:23:38,116 - INFO - Google Home alert sent successfully. +2025-08-21 13:28:38,117 - INFO - Running monitoring cycle... +2025-08-21 13:29:00,916 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 13:34:00,916 - INFO - Running monitoring cycle... +2025-08-21 13:34:23,658 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 13:39:23,658 - INFO - Running monitoring cycle... +2025-08-21 13:39:47,690 - INFO - LLM Response: {'severity': 'high', 'reason': 'The current RTT average (19.725) is significantly higher than the historical baseline value (19), with a difference of 0.725 seconds, which exceeds the 10-second threshold.'} +2025-08-21 13:39:47,998 - INFO - Discord alert sent successfully. +2025-08-21 13:39:49,884 - INFO - Google Home alert sent successfully. +2025-08-21 13:44:49,884 - INFO - Running monitoring cycle... +2025-08-21 13:51:42,600 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was found open on host 192.168.2.104, which is not a critical issue but should be monitored.'} +2025-08-21 13:56:42,601 - INFO - Running monitoring cycle... +2025-08-21 13:57:05,364 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 14:02:05,364 - INFO - Running monitoring cycle... +2025-08-21 14:02:28,186 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 14:07:28,186 - INFO - Running monitoring cycle... +2025-08-21 14:07:52,473 - INFO - LLM Response: {'severity': 'high', 'reason': 'CPU temperature has reached a critical value of 80 degrees Celsius, which is higher than the average baseline value of 82 degrees. This may indicate overheating and potential hardware damage.'} +2025-08-21 14:07:52,721 - INFO - Discord alert sent successfully. +2025-08-21 14:07:54,214 - INFO - Google Home alert sent successfully. +2025-08-21 14:12:54,215 - INFO - Running monitoring cycle... +2025-08-21 14:14:48,339 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 14:19:48,339 - INFO - Running monitoring cycle... +2025-08-21 14:20:12,301 - INFO - LLM Response: {'severity': 'high', 'reason': 'The average round trip time (RTT) has increased significantly from the historical baseline of 19ms to 27.927ms, indicating a potential issue with network connectivity.'} +2025-08-21 14:20:12,596 - INFO - Discord alert sent successfully. +2025-08-21 14:20:14,222 - INFO - Google Home alert sent successfully. +2025-08-21 14:25:14,222 - INFO - Running monitoring cycle... +2025-08-21 14:25:38,561 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT (Round Trip Time) fluctuation of 0.336 seconds between minimum and maximum values exceeds the average baseline value, but does not exceed the threshold for significant margin.'} +2025-08-21 14:30:38,561 - INFO - Running monitoring cycle... +2025-08-21 14:31:02,101 - INFO - LLM Response: {'severity': 'high', 'reason': 'The CPU temperature of 82 degrees exceeds the average temperature by a significant margin (delta value: +0).'} +2025-08-21 14:31:02,305 - INFO - Discord alert sent successfully. +2025-08-21 14:31:03,270 - INFO - Google Home alert sent successfully. +2025-08-21 14:36:03,270 - INFO - Running monitoring cycle... +2025-08-21 14:38:11,837 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 has been closed unexpectedly, which may indicate a security issue or a change in system configuration.'} +2025-08-21 14:38:12,063 - INFO - Discord alert sent successfully. +2025-08-21 14:38:13,086 - INFO - Google Home alert sent successfully. +2025-08-21 14:43:13,086 - INFO - Running monitoring cycle... +2025-08-21 14:43:35,862 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 14:48:35,864 - INFO - Running monitoring cycle... +2025-08-21 14:48:58,650 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 14:53:58,650 - INFO - Running monitoring cycle... +2025-08-21 14:54:22,771 - INFO - LLM Response: {'severity': 'high', 'reason': 'The current CPU temperature (81.0°C) exceeds the average CPU temperature by a significant margin of 1.0°C, which is greater than the allowed fluctuation threshold of 5°C.'} +2025-08-21 14:54:23,089 - INFO - Discord alert sent successfully. +2025-08-21 14:54:24,648 - INFO - Google Home alert sent successfully. +2025-08-21 14:59:24,649 - INFO - Running monitoring cycle... +2025-08-21 15:02:53,241 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The port 62078 is open on host 192.168.2.119, which was previously closed and had a high number of closed ports.'} +2025-08-21 15:07:53,242 - INFO - Running monitoring cycle... +2025-08-21 15:08:16,292 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:13:16,293 - INFO - Running monitoring cycle... +2025-08-21 15:13:39,106 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:18:39,107 - INFO - Running monitoring cycle... +2025-08-21 15:19:01,901 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:24:01,902 - INFO - Running monitoring cycle... +2025-08-21 15:26:36,387 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously reported as a known issue, but it has been re-opened on host 192.168.2.106, which could indicate a new anomaly.'} +2025-08-21 15:31:36,387 - INFO - Running monitoring cycle... +2025-08-21 15:31:59,832 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT maximum value of 24.201 seconds exceeds the historical average of 19 seconds.'} +2025-08-21 15:36:59,833 - INFO - Running monitoring cycle... +2025-08-21 15:37:22,612 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:42:22,612 - INFO - Running monitoring cycle... +2025-08-21 15:42:45,403 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:47:45,404 - INFO - Running monitoring cycle... +2025-08-21 15:49:10,394 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:54:10,394 - INFO - Running monitoring cycle... +2025-08-21 15:54:33,205 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 15:59:33,206 - INFO - Running monitoring cycle... +2025-08-21 15:59:57,148 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current CPU temperature (81.0) has increased by 0 degrees compared to the average CPU temperature, which could be a sign of unusual system load or overheating.'} +2025-08-21 16:04:57,149 - INFO - Running monitoring cycle... +2025-08-21 16:05:21,119 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The average Round Trip Time (RTT) has increased from 19 to 20.475 seconds, exceeding the historical baseline by a significant margin of over 1 second.'} +2025-08-21 16:10:21,120 - INFO - Running monitoring cycle... +2025-08-21 16:11:35,976 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:16:35,976 - INFO - Running monitoring cycle... +2025-08-21 16:16:58,822 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:21:58,823 - INFO - Running monitoring cycle... +2025-08-21 16:22:22,761 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current RTT average (21.121) is higher than the historical baseline (19). The difference is greater than 1 second, which is a significant margin.'} +2025-08-21 16:27:22,762 - INFO - Running monitoring cycle... +2025-08-21 16:27:45,565 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:32:45,565 - INFO - Running monitoring cycle... +2025-08-21 16:35:00,574 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:40:00,574 - INFO - Running monitoring cycle... +2025-08-21 16:40:24,425 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The CPU temperature (84.0) exceeds the average CPU temperature (81.0) by more than 5 degrees, indicating a potential issue with system cooling.'} +2025-08-21 16:45:24,426 - INFO - Running monitoring cycle... +2025-08-21 16:45:47,265 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:50:47,266 - INFO - Running monitoring cycle... +2025-08-21 16:51:10,061 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 16:56:10,061 - INFO - Running monitoring cycle... +2025-08-21 16:58:31,462 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been opened on multiple hosts (192.168.2.106, 192.168.2.114, and 192.168.2.122), which may indicate a potential security risk.'} +2025-08-21 17:03:31,463 - INFO - Running monitoring cycle... +2025-08-21 17:03:54,319 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 17:08:54,319 - INFO - Running monitoring cycle... +2025-08-21 17:09:17,101 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 17:14:17,101 - INFO - Running monitoring cycle... +2025-08-21 17:14:40,139 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 17:19:40,139 - INFO - Running monitoring cycle... +2025-08-21 17:54:27,038 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 17:59:27,039 - INFO - Running monitoring cycle... +2025-08-21 17:59:49,784 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:04:49,784 - INFO - Running monitoring cycle... +2025-08-21 18:05:12,550 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:10:12,551 - INFO - Running monitoring cycle... +2025-08-21 18:10:35,310 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:15:35,310 - INFO - Running monitoring cycle... +2025-08-21 18:19:25,358 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously closed, but is now open on host 192.168.2.119, which may indicate a new service or device has been added to the network without proper configuration.'} +2025-08-21 18:24:25,358 - INFO - Running monitoring cycle... +2025-08-21 18:24:47,299 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:29:47,300 - INFO - Running monitoring cycle... +2025-08-21 18:30:09,283 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:35:09,283 - INFO - Running monitoring cycle... +2025-08-21 18:35:31,265 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:40:31,265 - INFO - Running monitoring cycle... +2025-08-21 18:41:26,294 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was found open on multiple hosts (192.168.2.104, 102, and 121), which is a known issue as per the Known Issues Feed.'} +2025-08-21 18:46:26,294 - INFO - Running monitoring cycle... +2025-08-21 18:46:48,828 - INFO - LLM Response: {'severity': 'high', 'reason': 'Network Round Trip Time (RTT) fluctuation greater than 10 seconds'} +2025-08-21 18:46:49,059 - INFO - Discord alert sent successfully. +2025-08-21 18:46:50,060 - INFO - Google Home alert sent successfully. +2025-08-21 18:51:50,060 - INFO - Running monitoring cycle... +2025-08-21 18:52:12,022 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 18:57:12,022 - INFO - Running monitoring cycle... +2025-08-21 18:57:35,391 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The average Round Trip Time (RTT) has increased from 20 to 19.998, which may indicate a potential network issue. The fluctuation in RTT is greater than 10 seconds.'} +2025-08-21 19:02:35,392 - INFO - Running monitoring cycle... +2025-08-21 19:03:26,652 - INFO - LLM Response: {'severity': 'high', 'reason': 'Access attempts from unknown IP Addresses have been detected, which may indicate unauthorized access to the network.'} +2025-08-21 19:03:27,170 - INFO - Discord alert sent successfully. +2025-08-21 19:03:28,158 - INFO - Google Home alert sent successfully. +2025-08-21 19:08:28,159 - INFO - Running monitoring cycle... +2025-08-21 19:08:51,162 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The current RTT average of 19.783 is significantly lower than the historical baseline average of 20, indicating a potential anomaly in network latency.'} +2025-08-21 19:13:51,163 - INFO - Running monitoring cycle... +2025-08-21 19:14:14,117 - INFO - LLM Response: {'severity': 'medium', 'reason': 'RTT max value of 21.675 seconds is significantly higher than the average RTT (20 seconds), which could indicate a potential network issue.'} +2025-08-21 19:19:14,117 - INFO - Running monitoring cycle... +2025-08-21 19:19:37,063 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The RTT_max value of 21.03 is higher than the historical average of 20, indicating a potential issue with network connectivity.'} +2025-08-21 19:24:37,063 - INFO - Running monitoring cycle... +2025-08-21 19:27:57,184 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been open for an extended period of time (older than 24 hours) which could indicate a persistent network connection or issue'} +2025-08-21 19:32:57,185 - INFO - Running monitoring cycle... +2025-08-21 19:33:19,133 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 19:38:19,133 - INFO - Running monitoring cycle... +2025-08-21 19:38:41,093 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 19:43:41,093 - INFO - Running monitoring cycle... +2025-08-21 19:44:03,070 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 19:49:03,070 - INFO - Running monitoring cycle... +2025-08-21 20:04:52,316 - INFO - LLM Response: {'severity': 'medium', 'reason': "Port 62078 has been open for a long time and is not normal behavior. According to the Known Issues Feed, this port being open is normal for Apple devices but we should still report it as an anomaly because it's outside of our specified guidelines."} +2025-08-21 20:09:52,316 - INFO - Running monitoring cycle... +2025-08-21 20:10:14,279 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 20:15:14,279 - INFO - Running monitoring cycle... +2025-08-21 20:15:36,270 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 20:20:36,270 - INFO - Running monitoring cycle... +2025-08-21 20:20:58,283 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 20:25:58,283 - INFO - Running monitoring cycle... +2025-08-21 20:27:16,630 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 is open on host 192.168.2.113, which according to the Known Issues Feed is normal behavior for Apple devices and should not be reported.'} +2025-08-21 20:32:16,631 - INFO - Running monitoring cycle... +2025-08-21 20:32:38,981 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 20:37:38,982 - INFO - Running monitoring cycle... +2025-08-21 20:38:03,124 - INFO - LLM Response: {'severity': 'medium', 'reason': 'RTT fluctuation is greater than the threshold of 10 seconds (rtt_min: 19.895, rtt_avg: 20.525, rtt_max: 21.583). This indicates a potential network issue that should be investigated further.'} +2025-08-21 20:43:03,124 - INFO - Running monitoring cycle... +2025-08-21 20:43:25,532 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 20:48:25,532 - INFO - Running monitoring cycle... +2025-08-21 20:50:27,309 - INFO - LLM Response: {'severity': 'high', 'reason': 'Port 62078 was open on 192.168.2.113 for an unknown reason which could indicate malware or unauthorized access.'} +2025-08-21 20:50:27,639 - INFO - Discord alert sent successfully. +2025-08-21 20:50:29,013 - INFO - Google Home alert sent successfully. +2025-08-21 20:55:29,013 - INFO - Running monitoring cycle... +2025-08-21 20:55:51,452 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:00:51,452 - INFO - Running monitoring cycle... +2025-08-21 21:01:14,532 - INFO - LLM Response: {'severity': 'low', 'reason': 'The RTT maximum value of 25.327 seconds exceeds the average RTT by a significant margin.'} +2025-08-21 21:06:14,532 - INFO - Running monitoring cycle... +2025-08-21 21:06:37,973 - INFO - LLM Response: {'severity': 'high', 'reason': 'The CPU temperature of 86.0 degrees Celsius exceeds the average CPU temperature by more than 5 degrees, which could indicate a potential hardware issue.'} +2025-08-21 21:06:38,271 - INFO - Discord alert sent successfully. +2025-08-21 21:06:39,474 - INFO - Google Home alert sent successfully. +2025-08-21 21:11:39,475 - INFO - Running monitoring cycle... +2025-08-21 21:12:55,020 - INFO - LLM Response: {'severity': 'medium', 'reason': "Port 62078 has been open on multiple hosts, which is normal behavior for Apple devices, but it's reported in the Known Issues Feed as a potential issue."} +2025-08-21 21:17:55,021 - INFO - Running monitoring cycle... +2025-08-21 21:18:17,395 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:23:17,396 - INFO - Running monitoring cycle... +2025-08-21 21:23:40,952 - INFO - LLM Response: {'severity': 'low', 'reason': 'The current CPU temperature of 79.0 degrees is lower than the average CPU temperature of 81 degrees, which may be a normal behavior for CPUs when not in use.'} +2025-08-21 21:28:40,953 - INFO - Running monitoring cycle... +2025-08-21 21:29:03,349 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:34:03,349 - INFO - Running monitoring cycle... +2025-08-21 21:35:02,739 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:40:02,740 - INFO - Running monitoring cycle... +2025-08-21 21:40:26,380 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The RTT (Round Trip Time) average of 21.177 seconds is higher than the historical baseline average of 20 seconds, which could indicate a network congestion or latency issue.'} +2025-08-21 21:45:26,380 - INFO - Running monitoring cycle... +2025-08-21 21:45:49,053 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:50:49,055 - INFO - Running monitoring cycle... +2025-08-21 21:51:11,465 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 21:56:11,466 - INFO - Running monitoring cycle... +2025-08-21 21:57:56,683 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 has been previously flagged as normal behavior for Apple devices, but it is still open according to the Nmap scan changes.'} +2025-08-21 22:02:56,684 - INFO - Running monitoring cycle... +2025-08-21 22:03:19,110 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 22:08:19,110 - INFO - Running monitoring cycle... +2025-08-21 22:08:41,557 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 22:13:41,557 - INFO - Running monitoring cycle... +2025-08-21 22:14:03,954 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 22:19:03,954 - INFO - Running monitoring cycle... +2025-08-21 22:20:23,329 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 was previously open on multiple hosts (192.168.2.130 and 192.168.2.119), but it has now been closed on the host 192.168.2.114, while remaining open on other hosts.'} +2025-08-21 22:25:23,330 - INFO - Running monitoring cycle... +2025-08-21 22:25:46,540 - INFO - LLM Response: {'severity': 'medium', 'reason': 'CPU temperature has exceeded its historical average by more than 5 degrees, with a current value of 89.0'} +2025-08-21 22:30:46,541 - INFO - Running monitoring cycle... +2025-08-21 22:31:08,948 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 22:36:08,948 - INFO - Running monitoring cycle... +2025-08-21 22:36:31,381 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 22:41:31,381 - INFO - Running monitoring cycle... +2025-08-21 22:44:34,215 - ERROR - Error decoding LLM response: Extra data: line 4 column 4 (char 128) +2025-08-21 22:49:34,215 - INFO - Running monitoring cycle... +2025-08-21 22:49:57,219 - INFO - LLM Response: {'severity': 'high', 'reason': 'A failed login attempt was detected with no explanation as to why it was attempted.'} +2025-08-21 22:49:57,391 - INFO - Discord alert sent successfully. +2025-08-21 22:49:58,556 - INFO - Google Home alert sent successfully. +2025-08-21 22:54:58,556 - INFO - Running monitoring cycle... +2025-08-21 22:55:21,746 - INFO - LLM Response: {'severity': 'medium', 'reason': 'The CPU temperature (84.0 degrees) has increased significantly from its average value of 81.0 degrees.'} +2025-08-21 23:00:21,746 - INFO - Running monitoring cycle... +2025-08-21 23:00:45,196 - INFO - LLM Response: {'severity': 'high', 'reason': 'The packet RTT min value of 65.607 seconds exceeds the historical baseline average of 21 seconds by a significant margin of 44 seconds.'} +2025-08-21 23:00:45,595 - INFO - Discord alert sent successfully. +2025-08-21 23:00:46,843 - INFO - Google Home alert sent successfully. +2025-08-21 23:05:46,844 - INFO - Running monitoring cycle... +2025-08-21 23:14:37,951 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 23:19:37,952 - INFO - Running monitoring cycle... +2025-08-21 23:20:01,560 - INFO - LLM Response: {'severity': 'high', 'reason': 'The RTT fluctuation from the average value of 21 seconds is greater than 10 seconds (min: 19.087, max: 21.499).'} +2025-08-21 23:20:01,794 - INFO - Discord alert sent successfully. +2025-08-21 23:20:03,185 - INFO - Google Home alert sent successfully. +2025-08-21 23:25:03,185 - INFO - Running monitoring cycle... +2025-08-21 23:25:25,606 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 23:30:25,607 - INFO - Running monitoring cycle... +2025-08-21 23:30:48,045 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 23:35:48,045 - INFO - Running monitoring cycle... +2025-08-21 23:37:42,175 - INFO - LLM Response: {'severity': 'medium', 'reason': 'Port 62078 is open, which is considered an anomaly according to the Known Issues Feed.'} +2025-08-21 23:42:42,175 - INFO - Running monitoring cycle... +2025-08-21 23:43:05,965 - INFO - LLM Response: {'severity': 'high', 'reason': 'Network Round Trip Time (RTT) fluctuation greater than 10 seconds: current RTT max of 28.963 is more than 7.9 seconds above the average baseline RTT'} +2025-08-21 23:43:06,331 - INFO - Discord alert sent successfully. +2025-08-21 23:43:07,869 - INFO - Google Home alert sent successfully. +2025-08-21 23:48:07,869 - INFO - Running monitoring cycle... +2025-08-21 23:48:30,405 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 23:53:30,405 - INFO - Running monitoring cycle... +2025-08-21 23:53:52,856 - INFO - LLM Response: {'severity': 'none', 'reason': ''} +2025-08-21 23:58:52,856 - INFO - Running monitoring cycle... diff --git a/port_applications.json b/port_applications.json new file mode 100644 index 0000000..cf0f35e --- /dev/null +++ b/port_applications.json @@ -0,0 +1,19 @@ + +{ + "20": "FTP", + "21": "FTP", + "22": "SSH", + "23": "Telnet", + "25": "SMTP", + "53": "DNS", + "80": "HTTP", + "110": "POP3", + "143": "IMAP", + "443": "HTTPS", + "445": "SMB", + "587": "SMTP", + "993": "IMAPS", + "995": "POP3S", + "3306": "MySQL", + "3389": "RDP" +} diff --git a/requirements.txt b/requirements.txt index 09049d8..8c61ee4 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,6 +1,7 @@ -discord-webhook +pingparsing requests +discord-webhook ollama syslog-rfc5424-parser -pingparsing -python-nmap \ No newline at end of file +python-nmap +schedule \ No newline at end of file diff --git a/test_output.log b/test_output.log new file mode 100644 index 0000000..0fa32b5 --- /dev/null +++ b/test_output.log @@ -0,0 +1,22 @@ +Traceback (most recent call last): + File "/home/artanis/Documents/LLM-Powered-Monitoring-Agent/monitor_agent.py", line 31, in + file_handler = TimedRotatingFileHandler(LOG_FILE, when="midnight", interval=1, backupCount=1) + File "/home/artanis/.pyenv/versions/3.13.1/lib/python3.13/logging/handlers.py", line 223, in __init__ + BaseRotatingHandler.__init__(self, filename, 'a', encoding=encoding, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + delay=delay, errors=errors) + ^^^^^^^^^^^^^^^^^^^^^^^^^^^ + File "/home/artanis/.pyenv/versions/3.13.1/lib/python3.13/logging/handlers.py", line 64, in __init__ + logging.FileHandler.__init__(self, filename, mode=mode, + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^^^^^^ + encoding=encoding, delay=delay, + ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + errors=errors) + ^^^^^^^^^^^^^^ + File "/home/artanis/.pyenv/versions/3.13.1/lib/python3.13/logging/__init__.py", line 1218, in __init__ + StreamHandler.__init__(self, self._open()) + ~~~~~~~~~~^^ + File "/home/artanis/.pyenv/versions/3.13.1/lib/python3.13/logging/__init__.py", line 1247, in _open + return open_func(self.baseFilename, self.mode, + encoding=self.encoding, errors=self.errors) +PermissionError: [Errno 13] Permission denied: '/home/artanis/Documents/LLM-Powered-Monitoring-Agent/monitoring_agent.log'