Triagewall

Local-LLM Suricata alert triage for homelabs. Reduce alert noise without sending data to the cloud.

v0.2 available. Free and open source. Two-tier classification with a local LLM, hardened against prompt injection. Tested on a production homelab processing 6,000–13,000 alerts per hour.

Triagewall dashboard showing 99.2% prefilter ratio across 417,514 alerts in 24 hours

If you run Suricata on OPNsense or pfSense, you know the problem. Thousands of alerts a day, mostly noise. The signal is in there, but you're not going to find it at 11 PM.

Triagewall pre-filters known-benign signatures with a tunable JSON config (microsecond lookups, zero LLM cost), then sends the residual long tail to a local Ollama model for classification. On a typical homelab, the prefilter handles 99%+ of alerts after a day of tuning. The LLM sees only the genuinely interesting traffic.

v0.2 hardens the LLM stage against prompt injection: a canary token detects in-band tampering, strict response-schema validation rejects out-of-spec output, and 16 attacker-controlled alert fields are base64-encapsulated with explicit boundary markers so injected text can't escape the data envelope.

Free and AGPL-3.0. Runs on your hardware. No telemetry. Default model is Foundation-Sec-8B-Instruct (Cisco's security-domain LLM), running on any GPU with 8GB+ VRAM.

Install

git clone https://github.com/aaronphifer/triagewall
cd triagewall
docker compose up -d

Dashboard at http://localhost:8084. Demo mode included — no Suricata required to evaluate.

Measured in production

99.2%

prefilter ratio

7–10s

LLM latency (Foundation-Sec-8B / RTX 4060)

<2 min

end-to-end lag at steady state

6–13K

alerts / hour processed