INSyT is a LLM-based Network Instrusion Detection System designed to detect and analyze anomalous and dangerous network and system behavior. The trained model for this project can be found at huggingface.
This software can be installed using pip:
pip install insytNote: INSyT depends of the fact that you have a Redis Server running on your machine. Visit the Redis documentation to learn how to start a redis server for your OS.
Note: Generative AI analysis is built on ollama. And as such it is important that ollama is installed on your machine. Visit there github to learn how to install on you specific system. After installing ollama, run the following to create the insyt model:
ollama create insyt -f insyt/models/ollama/ModelfileYou can still use the software without installing ollama, just without analysis and response reccomendations.
Note for Windows users: Redis is not officially supported on Windows. However, you can install Redis on Windows for development by following these instructions.
To start monitoring log files, run the following command in your terminal:
insyt --watch /path/to/your/file1 /path/to/your/file2 /path/to/dir/Replace /path/to/your/file1 and /path/to/your/file2 with the actual paths to the files you want to watch. The file watcher will then monitor these files for any changes and load the new lines into the database. If you pass in a directory, the system will monitor all files within that directory.
It will also place new lines into a redis queue for classification and analysis, as well as process those jobs.
The INSyT sqlite database is by default contained at ~/.cache/insyt/insyt.db. You can also pass in a different database filename using the --db flag. For example:
insyt --watch /path/to/your/file1 /path/to/your/file2 --db /path/to/your/dbReplace /path/to/your/db with the actual path to the database file you want to use.
Run with the --purge flag to delete all rows in the database before starting to monitor files.
insyt --watch /path/to/watch/dir/ --purgeIf you want to run in debug mode, use the flag --debug
The frontend application can be used to view and analyze logline classifications.
The frontend is automatically served in the background while INSyT file monitoring is running. You can specify the port at which it is served using the --port flag (Default is 5656).
insyt --watch /path/to/dir/ --port 8001Alternatively, you can also serve just the frontend and inference apis (without file monitoring) using insyt-server.
insyt-server --port 8001Navigate to http://localhost:[your port here] to view and interact with the frontend application.
Navigate to http://localhost:[your port here]/docs to read the inference and database server api documentation (Provided by SwaggerUI).
Good luck...