SecOverview

Released: May 11, 2025
Author: samuelgiger
Repository: https://github.com/gigersam/SecOverview

Get information from different sources to analyze security events. Being able to use a locally hosted LLM to help analyze the data.

Getting information about destination IPs, checking files for suspicious activity, or querying DNS records for information was a task I needed to perform frequently, often reopening tools and repeating the same process. This hobby project aims to minimize the number of tools required while also maintaining a history of requests. The bigger-picture goal is to create a simple tool that helps small companies manage and scan their infrastructure in terms of cyber threats. This can involve either preventive or reactive methods.

Apps

The project currently contains the following apps:
NMAP Scanner: A simple WebUI to execute NMAP scans and store the detected results.
IP Check: A simple WebUI to check IP ASN data.(Source: bgpview.io)
DNS Record Check: A simple WebUI to check a domain's DNS records.
RSS Reader: Displays the latest news from various sources.
YARA Rules Checker: A WebUI to upload files which will be checked against some YARA rules.
MLNIDS Detection: A WebUI to display detected anomalies in the captured network flow.
Assets: The Assets view gathers all stored data from the apps, correlates them, and displays them from the asset perspective.
Ransomware Victims: Display of the victims of ransomware attacks.(Source: ransomware.live)

Installation

The current version has been tested on a basic Debian 12 (Bookworm). The application uses Python, Django, Gunicorn, and NGINX. This version only supports SQLite as a database. For Debian 12, an installation script is available. Due to the chat feature, some CPU/GPU power is required. It is also possible to run the Ollama instance on a different host. For the MLNIDS Detection feature, a GPU is highly recommended. It can also be run on a different host. The MLNIDS feature analyses captured network traffic in the PCAP format. To get PCAPs, a tool like Suricata is recommended.
Script: SecOverview Install Script
Download the script via a browser or use the following command:

wget https://github.com/gigersam/SecOverview/blob/main/install.sh

After downloading the script, add execution rights to the file with the following command:

sudo chmod +x install.sh

The script will install the following components:
python3
python3-venv
pyhton3-pip
git
nginx
nmap
ollama

Then, execute the file as an administrator with the command:

sudo ./install.sh

After installation, an output with the admin password will be displayed. The script also creates a service for the Django application named "secoverview.service".
To access the application, use a browser and navigate to the server at:
http://YOUR-IP/
After that, a login screen will be displayed, where you will be able to log in with the admin credentials.

After installation, there are more configuration options. Please refer to the documentation available under the "About" section of the application or download it here.

MLNIDS

MLNIDS is a lightweight service designed to classify data from NIDS tools such as Suricata. The service can analyze PCAP files and detect anomalies. After detection, the results can be uploaded into the tool SecOverview, where they can be visualized.
The service analyzes the PCAP files using two different algorithms:
Random Forest – to detect anomalies and classify them.
Isolation Forest – to detect network anomalies.

MLNIDS Installation

First, Suricata needs to be installed and configured. Use the official installation guide for Suricata: Suricata Installation Guide.
After enabling PCAP logging, the script "copy_suricata_pcap.py" can be used to copy the PCAP files into MLNIDS’s processing and analysis workflow.
Change the source_folder to the directory where Suricata stores the PCAP files:

def main():
    # Define the source folder and file pattern
    source_folder = "/path/to/source/folder"
    file_pattern = "log.pcap.*"  # File pattern for matching
    remote_directory = "analyse/pcap/todo"
end

To run the script as a service, create the following service file under /etc/systemd/system/copy_suricata_pcap.service with the content below:

[Unit]
Description=Copy Suricata Data with Python
After=network.target

[Service]
ExecStart=/home/secoverview/secoverview/venv/bin/python /home/secoverview/secoverview/services/mlnids_service/uploader_script_for_analysis.py
WorkingDirectory=/home/secoverview/secoverview/services/mlnids_service
Restart=always
User=secoverview
StandardOutput=append:/home/secoverview/secoverview/services/mlnids_service/log/default.log
StandardError=append:/home/secoverview/secoverview/services/mlnids_service/log/error.log

[Install]
WantedBy=multi-user.target

After creating the service file, enable and start the service using the following commands:

sudo systemctl daemon-reload
sudo systemctl enable mlnids.service
sudo systemctl start mlnids.service

Once this configuration is complete, all PCAP files will be analyzed by the MLNIDS service. Files will be copied if they are older than 30 minutes.
To obtain pre-trained models for MLNIDS, please contact me.

Videos

To get a better understanding of how to use the SecOverview, you can watch the following videos:

Dashboard

NMAP

RSS-Feeds and File-Scan

IP Check and ML NIDS