so-ops: Free, local LLM-powered alert triage, daily briefings & vuln scanning for Security Onion

[benolenick]

Hey everyone,

I built an open-source tool called so-ops that adds LLM-powered automation to Security Onion, specifically aimed at those of us running SO without a Pro license who still want AI-assisted alert triage and operational reporting.

https://github.com/benolenick/so-ops

What it does

so-ops is a CLI tool with three main functions, all powered by a local LLM via Ollama:

1. Alert Triage (so-ops triage)

• Queries Suricata alerts from Elasticsearch on a schedule (every 15 min via systemd timer)
• Groups alerts by signature + source IP
• Auto-clears known-benign signatures (configurable noise list)
• Sends remaining alert groups to a local LLM with full context: network zones, GeoIP data, rule metadata, alert counts
• LLM classifies each group as NOISE / LOW / MEDIUM / HIGH with reasoning
• Enforces minimum severity floors based on rule patterns (e.g., ET TROJAN = minimum HIGH) and GeoIP risk (traffic from high-risk countries = minimum MEDIUM)
• Fires instant notifications on HIGH alerts

Example output:

## Verdict Breakdown
- HIGH: 2 (1.3%)
- MEDIUM: 8 (5.3%)
- LOW: 12 (8.0%)
- NOISE: 128 (85.3%)

## HIGH Priority - Investigate Immediately
- ET EXPLOIT Possible CVE-2024-1234 | 203.0.113.50 -> 192.168.0.200:443
  - Reason: External IP targeting SO manager with known exploit signature
  - Action: Check SO manager logs, verify patch status

2. Daily Health Report (so-ops health)

• Aggregates 24h of metrics: Suricata alerts, Zeek connections, Sigma detections, data stream health, syslog errors, top external IPs
• Feeds the raw data to the LLM to generate a concise morning briefing (overall status, key findings, action items)
• Emails the report to you every morning

3. Vulnerability Scanning (so-ops scan)

• Runs nmap + vulners and/or nuclei against configured targets
• Generates an AI executive summary of findings
• Weekly/midweek scheduling via systemd timers

Why I built this

I run Security Onion on my home lab and was drowning in Suricata alerts, the usual story. The Onion AI Assistant looks great, but it requires a Pro license and a cloud connection. I wanted something that:

• Runs entirely local (no data leaves the network)
• Works unattended on a schedule (not an interactive chatbot)
• Does batch classification, not per-alert summaries
• Is free and works with any SO 2.4+ install

Design decisions

• Ollama for local inference - works with whatever model you prefer (I use qwen3:14b). All alert data stays on your network.
• Zero external Python dependencies - pure stdlib. No pip dependency hell on your SO box.
• Structured triage logic - the LLM isn't the only line of defense. Auto-noise lists, GeoIP risk floors, and pattern-based escalation rules provide guardrails around the LLM's classification.
• 7 notification providers - email, Discord, Slack, ntfy, Gotify, SMS (Twilio), and generic webhooks. Enable any combination.
• Standard SO index patterns - queries logs-suricata.alerts-so, logs-zeek-so, logs-detections.alerts-so, etc. Should work with any stock SO 2.4+ deployment.
• Audit trail - every triage decision is logged to a JSONL file with the verdict, reasoning, and method (auto-noise vs. LLM).

Getting started

pip install git+https://github.com/benolenick/so-ops.git

so-ops init            # interactive setup wizard
so-ops config-check    # validate config
so-ops test-notify     # test notification providers
so-ops triage --dry-run  # test run without LLM
so-ops triage          # full triage run
so-ops health          # generate health report

Requirements: Security Onion 2.4+, Python 3.11+, Ollama with a model pulled, nmap (for vuln scanning).

Not a replacement for Onion AI

To be clea, this isn't trying to replace the Onion AI Assistant. That's an interactive analyst tool with deep SOC integration. so-ops is more of an automated ops layer: it watches alerts in the background, classifies them, and pings you when something matters. They serve different purposes and can complement each other.

Looking for feedback

I'd love to hear from other SO users:

• Is this useful for your setup?
• What other SO pain points could benefit from local LLM automation?
• Any suggestions on triage prompt engineering or escalation logic?

The project is MIT licensed. PRs and issues welcome.

Thanks for building such a great platform! Security Onion is the backbone that makes tools like this possible, and I really appreciate all it's allowed us homelabbers to do.

[Zer0-cyber-web]

Hi! This is great! But I would like to ask for a bit more detailed instruction about install... Because:

[root@secon ~]# pip install git+https://github.com/om/so-ops.git
-bash: pip: command not found
[root@secon ~]#

and it stops at the beginning... :))) I spent 30 minutes researching how to install pip on Oracle Linux, and gave it up...

[benolenick]

Hey updated the readme. It can run anywhere on your network that has access to your SO box. you should make a secondary account that's read only that this will access. Let me know how it goes! PS eventually i'll add some support for API keys instead of passwords to be more secure, but it works and I'm happy with it.