Get information from different sources to analyze security events. Being able to use a locally hosted LLM to help analyze the data.
Getting information about destination IPs, checking files for suspicious activity, or querying DNS records for information was a task I needed to perform frequently,
often reopening tools and repeating the same process. This hobby project aims to minimize the number of tools required while also maintaining a history of requests.
The bigger-picture goal is to create a simple tool that helps small companies manage and scan their infrastructure in terms of cyber threats.
This can involve either preventive or reactive methods.
Apps
The project currently contains the following apps: NMAP Scanner: A simple WebUI to execute NMAP scans and store the detected results. IP Check: A simple WebUI to check IP ASN data.(Source: bgpview.io) DNS Record Check: A simple WebUI to check a domain's DNS records. RSS Reader: Displays the latest news from various sources. YARA Rules Checker: A WebUI to upload files which will be checked against some YARA rules. MLNIDS Detection: A WebUI to display detected anomalies in the captured network flow. Assets: The Assets view gathers all stored data from the apps, correlates them, and displays them from the asset perspective. Ransomware Victims: Display of the victims of ransomware attacks.(Source: ransomware.live)
Installation
The current version has been tested on a basic Debian 12 (Bookworm). The
application uses Python, Django, Gunicorn, and NGINX. This version only
supports SQLite as a database. For Debian 12, an installation script is available.
Due to the chat feature, some CPU/GPU power is required. It is also possible to run the Ollama instance on a different host.
For the MLNIDS Detection feature, a GPU is highly recommended. It can also be run on a different host. The MLNIDS feature analyses captured network traffic in
the PCAP format. To get PCAPs, a tool like Suricata is recommended.
Script: SecOverview Install Script
Download the script via a browser or use the following command:
After downloading the script, add execution rights to the file with the following command:
sudo chmod +x install.sh
The script will install the following components:
python3
python3-venv
pyhton3-pip
git
nginx
nmap
ollama
Then, execute the file as an administrator with the command:
sudo ./install.sh
After installation, an output with the admin password will be displayed.
The script also creates a service for the Django application named "secoverview.service".
To access the application, use a browser and navigate to the server at:
http://YOUR-IP/
After that, a login screen will be displayed, where you will be able to log in
with the admin credentials.
After installation, there are more configuration options. Please refer to the documentation available under the "About" section of the application or
download it here.
MLNIDS
MLNIDS is a lightweight service designed to classify data from NIDS tools such as Suricata. The service can analyze PCAP files and detect anomalies. After detection, the results can be uploaded into the tool SecOverview, where they can be visualized.
The service analyzes the PCAP files using two different algorithms:
Random Forest – to detect anomalies and classify them.
Isolation Forest – to detect network anomalies.
MLNIDS Installation
First, Suricata needs to be installed and configured. Use the official installation guide for Suricata: Suricata Installation Guide.
After enabling PCAP logging, the script "copy_suricata_pcap.py" can be used to copy the PCAP files into MLNIDS’s processing and analysis workflow.
Change the source_folder to the directory where Suricata stores the PCAP files:
def main():
# Define the source folder and file pattern
source_folder = "/path/to/source/folder"
file_pattern = "log.pcap.*" # File pattern for matching
remote_directory = "analyse/pcap/todo"
end
To run the script as a service, create the following service file under /etc/systemd/system/copy_suricata_pcap.service with the content below:
[Unit]
Description=Copy Suricata Data with Python
After=network.target
[Service]
ExecStart=/home/secoverview/secoverview/venv/bin/python /home/secoverview/secoverview/services/mlnids_service/uploader_script_for_analysis.py
WorkingDirectory=/home/secoverview/secoverview/services/mlnids_service
Restart=always
User=secoverview
StandardOutput=append:/home/secoverview/secoverview/services/mlnids_service/log/default.log
StandardError=append:/home/secoverview/secoverview/services/mlnids_service/log/error.log
[Install]
WantedBy=multi-user.target
After creating the service file, enable and start the service using the following commands:
Once this configuration is complete, all PCAP files will be analyzed by the MLNIDS service. Files will be copied if they are older than 30 minutes.
To obtain pre-trained models for MLNIDS, please contact me.
Videos
To get a better understanding of how to use the SecOverview, you can watch the following videos:
Dashboard
NMAP
RSS-Feeds and File-Scan
IP Check and ML NIDS
Related Posts
Project SecOverview: Assets Display and Backup Script for Windows Clients
Released: May 9, 2025 Author: samuelgiger Categories:
SecOverview
Asset Visibility and Basic Backup Strategy for Windows Clients
Discover how to enhance user interaction with a seamless chat system, integrated data pools, and smart API connections. Click to explore the guide on optimizing AI-powered chat experiences!
Getting information from all sources is quite time-intensive and may be excessive for small companies. This project aims to help obtain or analyze specific information.