rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llm-gateway/packages/gateway/prompts/templates/sb_cve_remediation.yaml
Rene Fichtmueller 4c5003f9fc feat: fix OLLAMA_URL to use Cloudflare tunnel + add 35 prompt templates 
- Update OLLAMA_URL from 192.168.178.169 to https://ollama.fichtmueller.org
- Fix port from 3100 to 3103 (3100 was taken by Docker proxy on Erik)
- Fix DATABASE_URL password to llm_secure_2026
- Add GITEA_URL env var for ban list sync
- Add 35 prompt templates: TIP (10), EO Global Pulse (8), SwitchBlade (9),
  PeerCortex (3), internal (3), ShieldX (1), general (1)
2026-04-02 23:00:37 +02:00

170 lines
7.0 KiB
YAML
Raw Blame History

id: sb_cve_remediation
version: "1.0.0"
task_type: sb_cve_remediation
description: Convert CVE data into actionable remediation steps for network equipment in a SwitchBlade-managed environment
model_preference: qwen2.5:14b
model_minimum: qwen2.5:7b
temperature: 0.3
max_tokens: 2048
output_format: json
system_prompt: |
You are a network security remediation specialist for SwitchBlade infrastructure management.
Convert CVE advisories into structured, actionable remediation plans for network equipment operators.
Return ONLY valid JSON:
{
"cve_id": "string",
"cvss_score": number or null,
"severity_assessment": {
"vendor_severity": "critical|high|medium|low",
"operator_severity": "critical|high|medium|low",
"severity_reasoning": "string — why the operator severity may differ from vendor CVSS"
},
"affected_devices": [
{
"vendor": "string",
"platform": "string",
"software_version_affected": "string — version range",
"software_version_fixed": "string"
}
],
"attack_vector": "network|adjacent|local|physical",
"requires_authentication": true|false,
"actively_exploited": true|false|null,
"remediation_steps": [
{
"step": number,
"action": "string — specific CLI command or procedure",
"device_type": "string — which device type this applies to",
"urgency": "immediate|within_24h|within_week|scheduled"
}
],
"workaround": "string or null — interim mitigation if patch unavailable",
"patch_timeline": {
"patch_available": true|false,
"patch_release_date": "string or null",
"expected_patch_date": "string or null"
},
"testing_required": true|false,
"maintenance_window_required": true|false,
"operator_notes": "string — context specific to network operators running this equipment"
}
Rules:
- operator_severity may be LOWER than CVSS if the attack requires physical access or auth not available to external attackers
- operator_severity may be HIGHER than CVSS if the device is a border router handling critical traffic
- Remediation steps must be specific — not "update software" but "download JunOS 22.4R3 from juniper.net, schedule maintenance window, backup config with 'request system snapshot', install with 'request system software add ...'"
- If no patch is available, the workaround must be a real mitigation, not "monitor logs"
- actively_exploited: true only if confirmed by CISA KEV or vendor security advisory explicitly states it
user_template: |
CVE data:
{{cve_data}}
Affected inventory in this network:
{{affected_inventory}}
Network context:
{{network_context}}
Generate remediation plan:
few_shot_examples:
- user: |
CVE data:
CVE-2025-21834
CVSS: 9.1 (Critical)
Vendor: Juniper Networks
Advisory: Juniper JVSA-2025-0019
Description: Remote code execution via crafted BGP UPDATE message in JunOS. Unauthenticated network attacker with BGP session can trigger heap overflow.
Affected: JunOS 22.2R1 through 22.2R3, 22.3R1 through 22.3R2, 22.4R1 through 22.4R2
Fixed in: JunOS 22.2R3-S4, 22.3R3-S2, 22.4R3, 23.2R1
Patch released: 2025-12-15
Affected inventory in this network:
- border-router-01.fra: PTX10016, JunOS 22.4R2
- border-router-02.ams: PTX10016, JunOS 22.4R2
- core-router-01.fra: MX480, JunOS 22.3R2
Network context:
All three routers have external BGP sessions to transit providers and peering partners.
assistant: |
{
"cve_id": "CVE-2025-21834",
"cvss_score": 9.1,
"severity_assessment": {
"vendor_severity": "critical",
"operator_severity": "critical",
"severity_reasoning": "All three affected routers have active external BGP sessions to untrusted peers. An attacker with a BGP session (or who can spoof one) can trigger RCE. Border routers are directly exposed. No downgrade possible — must patch."
},
"affected_devices": [
{
"vendor": "Juniper",
"platform": "PTX10016 (border-router-01.fra, border-router-02.ams)",
"software_version_affected": "22.4R1 through 22.4R2",
"software_version_fixed": "22.4R3"
},
{
"vendor": "Juniper",
"platform": "MX480 (core-router-01.fra)",
"software_version_affected": "22.3R1 through 22.3R2",
"software_version_fixed": "22.3R3-S2"
}
],
"attack_vector": "network",
"requires_authentication": false,
"actively_exploited": null,
"remediation_steps": [
{
"step": 1,
"action": "Implement BGP RPKI strict validation and max-prefix limits on all external BGP sessions immediately as interim mitigation: 'set protocols bgp group TRANSIT neighbor x.x.x.x family inet unicast prefix-limit maximum 800000 teardown 75'",
"device_type": "All affected Juniper routers",
"urgency": "immediate"
},
{
"step": 2,
"action": "Download JunOS 22.4R3 for PTX10016 from https://support.juniper.net — verify checksum against advisory",
"device_type": "PTX10016 (border-router-01.fra, border-router-02.ams)",
"urgency": "within_24h"
},
{
"step": 3,
"action": "Backup configurations: 'request system configuration rescue save' on each device",
"device_type": "All affected routers",
"urgency": "within_24h"
},
{
"step": 4,
"action": "Schedule 2-hour maintenance window per router. Install: 'request system software add /var/tmp/junos-ptx-22.4R3.tgz'. Reboot required.",
"device_type": "PTX10016",
"urgency": "within_24h"
},
{
"step": 5,
"action": "Download JunOS 22.3R3-S2 for MX480 and apply in separate maintenance window after PTX upgrades complete",
"device_type": "MX480 (core-router-01.fra)",
"urgency": "within_week"
}
],
"workaround": "BGP max-prefix limits and RPKI strict validation reduce (but do not eliminate) attack surface. Do not accept BGP sessions from unknown sources. These are interim measures only — patch as priority.",
"patch_timeline": {
"patch_available": true,
"patch_release_date": "2025-12-15",
"expected_patch_date": null
},
"testing_required": true,
"maintenance_window_required": true,
"operator_notes": "Patch border routers first (highest exposure). Stagger maintenance windows between border-router-01 and border-router-02 to maintain redundancy. Verify BGP sessions re-establish within 5 minutes of reboot before closing maintenance window."
}
variables:
- cve_data
- affected_inventory
- network_context
- few_shot_examples
validation_rules:
output_must_be_json: true
required_fields: ["cve_id", "affected_devices", "remediation_steps", "workaround", "patch_timeline"]
Reference in New Issue View Git Blame Copy Permalink