Programmatic Network Inference
A project dedicated to exploring how to programmatically visualize, understand, and describe the layout of a network and its inhabitants. By leveraging Suricata, Python, and an LLM of your choosing, these tools may offer a structured approach to analyzing network activity and generating actionable insights.
This project is intended as a proof of concept and a learning tool for those interested in this sort of thing. It is not designed for production environments but rather as a starting point for exploring the intersection of network monitoring, automation, and AI.
- Parse and enrich network traffic data.
- Visualize device relationships and roles.
- Use an LLM to produce human-readable summaries and recommendations for network analysis.
- Extracts data from Suricata's
eve.jsonlogs. - Identifies devices by MAC address, IP, and vendor.
- Summarizes traffic activity (bytes sent/received) and interaction patterns.
- Visualizes device relationships and network topologies.
- Analyzes behavioral patterns to identify potential anomalies.
- Sends structured data to Tines for LLM-driven analysis.
- Handles missing configuration files and automates OUI database setup.
git clone https://github.com/tyler-tee/programmatic-network-inference.git
cd programmatic-network-inference- Python 3.8+
- Suricata logs (
eve.json) configured to includeflowandetherevents. - A valid Tines Webhook URL.
Install the required Python dependencies:
pip install -r requirements.txtCreate a config.json file in the project directory:
{
"TINES_WEBHOOK_URL": "https://your-tines-webhook-url.com"
}- Device identification:
python device_identification.py
- Generating network topology diagrams:
python topology_generation.py
- Analyzing network behavior patterns:
python net_behavior_analysis.py
- Purpose: Core script for processing Suricata logs and interacting with Tines.
- Key Functions:
extract_device_data(): Extracts device information fromeve.jsonlogs.lookup_mac_vendor(): Resolves MAC vendors using the OUI database or fallback API.send_to_tines(): Sends structured data to Tines for LLM analysis.
- Example Output:
{ "devices": [ { "mac": "98:2C:BC:6A:D7:40", "ip": "192.168.1.10", "vendor": "Cisco Systems", "traffic": { "bytes_sent": 12345, "bytes_received": 67890 }, "activity": [ "Sent 12345 bytes to 192.168.1.1", "Received 67890 bytes from 192.168.1.254" ] } ] }
-
Purpose: Generates network topology diagrams from Suricata's
eve.jsonlogs. -
Key Features:
- Parses
eve.jsonto identify devices and their connections. - Uses Matplotlib and NetworkX to visualize relationships as a network graph.
- Outputs a PNG diagram (
network_topology.png) for analysis and reporting.
- Parses
-
Usage Notes:
- Ensure
eve.jsoncontainsflowandetherevents for accurate topology generation.
- Ensure
-
Example Output:
- Purpose: Analyzes network behavioral patterns to identify potential anomalies.
- Key Features:
- Processes Suricata logs to extract behavioral data (e.g., traffic volume, protocol usage).
- Compares observed patterns against predefined thresholds or baselines.
- Outputs structured data for further review or integration with Tines.
- Example Output:
{ "anomalies": [ { "src_ip": "192.168.1.10", "issue": "Excessive traffic volume detected", "details": { "bytes_sent": 1048576, "bytes_received": 2097152 } } ] }
-
Suricata Configuration:
- Ensure
eve.jsonincludesflowandetherevents to capture MAC addresses and traffic data. - Refer to Suricata Configuration for details.
- Ensure
-
Tines Workflow:
- Configure your Tines story to handle the JSON payload and pass it to the LLM for analysis.
-
Fallback Mechanism:
- If the OUI database is unavailable, the script uses
https://api.macvendors.comfor vendor lookups.
- If the OUI database is unavailable, the script uses
This project is licensed under the MIT License.