Skip to content

Add Network Security Analyzer Agent #72

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 10 commits into from
May 6, 2025
Merged

Add Network Security Analyzer Agent #72

merged 10 commits into from
May 6, 2025

Conversation

duel0
Copy link
Collaborator

@duel0 duel0 commented Apr 16, 2025

#70

@vmayoral
Copy link
Member

Thanks @duel0, pretty exciting to have this into the architecture.

Some comments:

  • agent follows the general pattern, but I don't see how it's "intercepting" traffic to then add it to the context and analyze it. Do you expect the LLM to do this proactively in a background session? Isn't this suboptimal as it'll loose most traffic between "captures"?
  • can you provide a log/example that can be easily reproduced and that shows the Agent's behavior in your testing environment conditions?

@duel0 duel0 linked an issue Apr 16, 2025 that may be closed by this pull request
Create NetworkTrafficAgent #70
Closed
@duel0
Copy link
Collaborator Author

duel0 commented Apr 18, 2025

Added python functions to capture remote traffic in the background.

@duel0
Copy link
Collaborator Author

duel0 commented Apr 29, 2025
edited
Loading

SSH Client paramiko==3.5.1 needed for cai/tools/network/capture_traffic.py

@duel0
Copy link
Collaborator Author

duel0 commented Apr 29, 2025

Edited functions to avoid a continuous read from tshark, limited to 100 packets per-single-read

@vmayoral
Copy link
Member

vmayoral commented May 6, 2025

Liked a lot this iteration @duel0, nicely done. Ready from my side to be merged. Please confirm if you're fine moving forward or if you expect any further modifications in this iteration.

The following couple of (containerized) exercises demonstrate the capabilities of what's implemented herein:

test 1 test 2
asciicast asciicast

An additional thoughts: currently the proposed agent has no Handoff to other agents. I understand this as a result of testing but in an operational scenario, wouldn't it be interesting to consider doing so? I particularly believe that the DFIR agent could be a decent target (for a handoff). Specially if expanded with shodan_search and make_google_search searching capabilities, so that recorded traffic can be somehow correlated with online searching.

Overall, nicely done.

@duel0
Copy link
Collaborator Author

duel0 commented May 6, 2025

  • Integrated DFIR Agent handoff functionality into Network Security Analyzer.
  • Added Google Search and Shodan Search capabilities to the DFIR Agent (conditional on API key availability).
  • Added think functionality to the DFIR Agent to enhance investigation performance.

Note: the dependency paramiko==3.5.1 is required but not included in this PR, it needs to be added separately.

@duel0
Copy link
Collaborator Author

duel0 commented May 6, 2025

Added paramiko dependency

@duel0 duel0 merged commit 3e85632 into aliasrobotics:main May 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vmayoral vmayoral vmayoral approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create NetworkTrafficAgent
2 participants
@duel0 @vmayoral