In [None]:
# Install necessary package
!pip install google-generativeai pyyaml




In [None]:
!pip install fix-busted-json



In [None]:
import yaml

suricata_config = {
    'vars': {
        'address-groups': {
            'HOME_NET': '["192.168.0.0/16"]',
            'EXTERNAL_NET': '!"$HOME_NET"'
        },
        'port-groups': {
            'HTTP_PORTS': '[80,8080,443]'
        }
    },
    'default-rule-path': '/var/lib/suricata/rules',
    'rule-files': ['suricata.rules', 'local.rules'],
    'logging': {
        'default-log-level': 'notice',
        'outputs': [
            {
                'console': {
                    'enabled': 'yes',
                    'type': 'console',
                    'log-level': 'info'
                }
            },
            {
                'file': {
                    'enabled': 'yes',
                    'level': 'info',
                    'filename': 'suricata.log'
                }
            },
            {
                'eve-log': {
                    'enabled': 'yes',
                    'filetype': 'regular',
                    'filename': 'eve.json',
                    'types': [
                        {'alert': {'payload': 'yes', 'metadata': 'yes'}},
                        {'http': {'extended': 'yes'}},
                        {'dns': {'version': 2}},
                        {'tls': {'extended': 'yes'}},
                        {'files': {'force-magic': 'no', 'force-hash': ['md5', 'sha1']}}
                    ]
                }
            }
        ]
    },
    'af-packet': [
        {
            'interface': 'eth0',
            'threads': 'auto',
            'cluster-id': 99,
            'cluster-type': 'cluster_flow',
            'defrag': 'yes',
            'use-mmap': 'yes',
            'mmap-locked': 'yes'
        }
    ]
}

with open('suricata.yaml', 'w') as file:
    yaml.dump(suricata_config, file)

print("Suricata configuration file 'suricata.yaml' created.")


Suricata configuration file 'suricata.yaml' created.


In [None]:
import json
import random
from datetime import datetime

def generate_ip():
    return f"{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}"

def generate_normal_log():
    return {
        "timestamp": datetime.now().isoformat() + "Z",
        "event_type": "flow",
        "src_ip": generate_ip(),
        "src_port": random.randint(1024, 65535),
        "dest_ip": generate_ip(),
        "dest_port": random.choice([80, 443]),
        "proto": random.choice(["TCP", "UDP"]),
        "flow_id": random.randint(1000000000, 9999999999),
        "app_proto": random.choice(["http", "https"]),
        "flow": {
            "pkts_toserver": random.randint(1, 10),
            "pkts_toclient": random.randint(1, 10),
            "bytes_toserver": random.randint(50, 1000),
            "bytes_toclient": random.randint(50, 1000),
            "start": datetime.now().isoformat() + "Z"
        }
    }

def generate_malicious_log():
    attack_type = random.choice(["SQL Injection", "Cross Site Scripting", "DDoS", "Port Scanning"])
    return {
        "timestamp": datetime.now().isoformat() + "Z",
        "event_type": "alert",
        "src_ip": generate_ip(),
        "src_port": random.randint(1024, 65535),
        "dest_ip": generate_ip(),
        "dest_port": random.choice([80, 443]),
        "proto": "TCP",
        "alert": {
            "action": "blocked",
            "gid": 1,
            "signature_id": random.randint(2000000, 3000000),
            "rev": 1,
            "signature": f"ET ATTACK_INDICATOR {attack_type}",
            "category": "Attempted Administrator Privilege Gain",
            "severity": 3,  # High severity
        },
        "flow_id": random.randint(1000000000, 9999999999),
        "app_proto": "http",
        "flow": {
            "pkts_toserver": random.randint(10, 100),
            "pkts_toclient": random.randint(0, 5),
            "bytes_toserver": random.randint(1000, 10000),
            "bytes_toclient": random.randint(10, 50),
            "start": datetime.now().isoformat() + "Z"
        }
    }

# Generate a mix of 10 normal and 10 malicious logs
logs = [generate_normal_log() for _ in range(10)] + [generate_malicious_log() for _ in range(10)]
random.shuffle(logs)

# Output the logs to a JSON file
with open('eve.json', 'w') as file:
    for log in logs:
        file.write(json.dumps(log) + '\n')

print("Suricata logs 'eve.json' created.")


Suricata logs 'eve.json' created.


In [None]:
import google.generativeai as genai
import json
import sys

# Initialize Gemini API (use your actual key)
genai.configure(api_key="AIzaSyBzP2xWPUPw0SNEuzVez3onXYXJbuEgKIo")

def get_gemini_suggestions(log_entry, config):
    model = genai.GenerativeModel('gemini-1.5-flash')

    try:
        prompt = (
            f"Analyze the following Suricata log entry and YAML configuration. Provide detailed suggestions and code samples to improve "
            f"the configuration to block similar attacks in the future. Return the response in JSON format.\n\n"
            f"Log Entry:\n{json.dumps(log_entry, indent=2)}\n\n"
            f"YAML Configuration:\n{config}\n\n"
            f"Please provide actionable suggestions and relevant configuration updates in JSON format in the following structure:\n\n"
            f"{{\n"
            f"  \"suggestions\": <detailed suggestions here>,\n"
            f"  \"updated_config\": <updated configuration here>\n"
            f"}}"
        )
        response = model.generate_content(prompt)
        if not response.candidates or not response.candidates[0].content.parts:
            raise ValueError("Empty response from Gemini API")
        content_parts = response.candidates[0].content.parts
        content = "".join([part.text for part in content_parts])

        # Print content for debugging purposes
        print("Content:", content)

        # Extract JSON from the content
        start = content.find('{')
        end = content.rfind('}') + 1
        json_content = content[start:end]

        return json.loads(json_content)
    except (KeyError, ValueError, Exception) as e:
        print(f"Error processing log entry: {e}", file=sys.stderr)
        return None

# Load Suricata configuration
with open('suricata.yaml', 'r') as file:
    suricata_config = file.read()

# Analyze logs and send only one severe threat to Gemini
with open('eve.json', 'r') as file:
    processed_severe_log = False  # Flag to check if a severe log has been processed
    for line in file:
        log = json.loads(line)
        if log['event_type'] == 'alert' and log['alert']['severity'] == 3:  # High severity
            if not processed_severe_log:  # Check if a severe log has been processed
                suggestions = get_gemini_suggestions(log, suricata_config)
                if suggestions:
                    print("Suggestions:")
                    print(json.dumps(suggestions['suggestions'], indent=2))
                    print("\nUpdated Configuration:")
                    print(json.dumps(suggestions['updated_config'], indent=2))
                processed_severe_log = True  # Set the flag to True after processing one severe log
                break  # Exit the loop after processing the first high-severity


Content: ```json
{
  "suggestions": [
    "The log entry indicates a port scanning attack, suggesting a potential attempt to identify open ports and services on the target system.  This could be a precursor to further attacks, such as exploitation of vulnerabilities.",
    "The current configuration lacks specific rules to address port scanning.  We need to add rules to detect and block such activities.",
    "To effectively block port scans, we can leverage the Suricata detection engine to identify patterns associated with port scanning behavior.  This involves analyzing the frequency, destination port range, and other characteristics of the scanning traffic.",
    "We can create a rule that triggers when a significant number of connections are initiated towards a single IP address within a short timeframe.  This behavior is often indicative of a port scan.",
    "By implementing these rules, we can proactively identify and block potential port scans before they escalate into more ser

Error processing log entry: Expecting ',' delimiter: line 9 column 918 (char 1920)
