diff --git a/llm_team_ui.py b/llm_team_ui.py index 7b98de2..3d4fcd8 100644 --- a/llm_team_ui.py +++ b/llm_team_ui.py @@ -4144,16 +4144,25 @@ def admin_enrich_ip(): log_ctx = "\n".join(ip_logs[-20:]) if ip_logs else "No log entries found." prompt = ( - f"You are a cybersecurity analyst. Provide a detailed threat assessment for IP {ip}.\n\n" + f"You are an aggressive cybersecurity analyst protecting a production web application. " + f"Provide a detailed threat assessment for IP {ip}. " + f"This is a PRIVATE application — there is NO legitimate reason for unknown IPs to scan it.\n\n" f"{geo_ctx}{wc_ctx}\n" f"Activity log ({len(ip_logs)} total entries, showing last 20):\n{log_ctx}\n\n" + "THREAT LEVEL RULES (follow strictly):\n" + "- critical: ANY exploit scan (.env, .git, wp-admin, etc.) OR blocked on multiple DNS blocklists OR multiple user agents\n" + "- high: probing non-existent paths repeatedly OR hosting/proxy IP OR port scan shows only SSH\n" + "- medium: a few 404s on common paths from non-proxy IP\n" + "- low: single benign request (robots.txt, favicon)\n" + "- An IP blocked on 10+ DNS blocklists is ALWAYS critical regardless of log activity\n" + "- An IP with only port 22 open and no web service is suspicious infrastructure\n\n" "Provide your analysis as JSON:\n" '{"threat_level": "none|low|medium|high|critical",\n' - ' "classification": "scanner|bruteforce|bot|researcher|targeted_attack|legitimate",\n' + ' "classification": "scanner|bruteforce|bot|researcher|targeted_attack|compromised_host|legitimate",\n' ' "confidence": 0.0-1.0,\n' ' "summary": "2-3 sentence threat assessment",\n' ' "indicators": ["list of specific indicators found"],\n' - ' "recommendation": "specific recommended action",\n' + ' "recommendation": "specific recommended action — ban permanently, ban 24h, monitor, or ignore",\n' ' "likely_automated": true/false,\n' ' "pattern": "description of attack pattern if any"}\n' ) @@ -6173,17 +6182,20 @@ def _sentinel_scan(): # Batch analysis prompt prompt = ( - "You are a web application security analyst. Analyze these log entries from the last 5 minutes " - "and classify each IP. Respond with ONLY a JSON array, one object per IP:\n" + "You are an aggressive cybersecurity sentinel protecting a PRIVATE production web application. " + "There is NO legitimate reason for unknown IPs to probe this server. " + "Analyze these log entries and classify each IP. Respond with ONLY a JSON array:\n" '[{"ip": "x.x.x.x", "threat": "none|low|medium|high|critical", "action": "ignore|monitor|ban", ' - '"reason": "brief reason", "attack_type": "scanner|bruteforce|exploit|bot|legitimate"}]\n\n' - "Guidelines:\n" - "- /.git/config, /wp-admin, /phpmyadmin, /xmlrpc.php, /env, /admin.php = exploit scanner → ban\n" - "- Multiple different user agents from same IP = rotating scanner → ban\n" - "- /robots.txt or /favicon.ico alone = harmless bot → ignore\n" - "- Failed logins = bruteforce if >2 attempts → ban\n" - "- Headless chrome, bot UAs doing probing = automated scanner → ban\n" - "- Single 404 on a common path = probably harmless → ignore\n\n" + '"reason": "brief reason", "attack_type": "scanner|bruteforce|exploit|bot|compromised_host|legitimate"}]\n\n' + "RULES (follow strictly — err on the side of banning):\n" + "- ANY probe for /.git, /.env, /wp-admin, /phpmyadmin, /xmlrpc.php, /admin.php, /config = BAN immediately\n" + "- ANY probe for .env.production, .env.local, .env.development = BAN — this is targeted recon\n" + "- Multiple different user agents from same IP = rotating scanner = BAN\n" + "- HeadlessChrome, curl, python-requests doing probing = automated scanner = BAN\n" + "- Failed logins >= 2 = BAN\n" + "- /robots.txt or /favicon.ico ALONE from a known bot UA = ignore\n" + "- Everything else = BAN if it looks automated, monitor if genuinely ambiguous\n" + "- When in doubt, BAN. This is a private server.\n\n" "Log entries:\n\n" ) for ip, summary, _ in analysis_items[:15]: # max 15 IPs per scan