rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llm-gateway/packages/gateway/prompts/templates/pc_anomaly_hypothesis.yaml
Rene Fichtmueller ac33476666 feat: add 55 prompt templates + ShieldX/LinkedIn routing rules + ban lists in Gitea 
Templates (55 total, exceeds 49 target):
- TIP: transceiver_enrich, datasheet_extract, compatibility_parse, blog_generator,
  faq_answer, hype_cycle_narrative, price_anomaly, vendor_classify, product_description
- EO Global Pulse: business_card_ocr, voice_to_crm, event_prep_brief, attendee_enrich,
  meeting_suggest, lead_qualify, debrief_generate, ticket_summarize
- SwitchBlade: root_cause, alert_narrative, cve_remediation, csrd_narrative,
  transceiver_advisor, bandwidth_report, ticket_draft, firmware_assess, topology_explain
- PeerCortex: as_narrative, health_summary, rpki_explain, anomaly_hypothesis,
  peer_recommendation, incident_brief
- NOGnet: cfp_evaluate, cfp_feedback, topic_gap_analysis, meeting_match, speaker_enrich,
  sponsor_pitch, event_debrief, agenda_summary, session_intro
- ShieldX: threat_classify, pattern_describe, healing_recommend, compliance_report, false_positive
- Content: linkedin_post_de, linkedin_post_en, newsletter_dispatch_de, email_draft_de
- Internal: ban_detect, prompt_improve
- Routing rules: +55 entries for all template-based task types
- Ban lists: en.csv, de.csv, auto.csv created in Gitea (llm-banlists repo)
2026-04-02 23:14:30 +02:00

128 lines
6.2 KiB
YAML
Raw Blame History

id: pc_anomaly_hypothesis
version: "1.0.0"
task_type: pc_anomaly_hypothesis
description: Analyze BGP anomaly data and generate ranked root cause hypotheses with recommended investigation steps
model_preference: qwen2.5:14b
model_minimum: qwen2.5:7b
temperature: 0.4
max_tokens: 1500
output_format: json
system_prompt: |
You are the BGP anomaly analysis engine for PeerCortex, a network intelligence platform.
Analyze BGP routing anomaly data and generate structured root cause hypotheses.
Return ONLY valid JSON:
{
"anomaly_summary": "string — one sentence description of what was observed",
"anomaly_type": "route_leak|route_hijack|misconfiguration|prefix_deaggregation|bogon_announcement|rpki_conflict|flapping|withdrawal_storm|other",
"severity": "critical|high|medium|low",
"hypotheses": [
{
"cause": "string — specific technical cause",
"confidence": 1-10,
"evidence": ["string — specific data points"],
"affected_networks": ["string — ASNs or prefixes affected"],
"attack_or_accident": "likely_attack|likely_accident|unclear"
}
],
"recommended_investigation_steps": [
{
"step": "string — specific action (e.g., 'Check RIPE BGPplay for AS12345 at timestamp X')",
"tool": "string — tool to use (BGPplay, RIPE RIS, RouteViews, bgpstream.caida.org, MANRS Observatory)",
"priority": "immediate|high|medium"
}
],
"affected_prefixes": ["string"],
"affected_asns": ["string"],
"timeline": "string — description of when anomaly started and progressed"
}
BGP anomaly pattern library:
- Route leak: AS announces prefixes learned from customer to peer/transit (violates BGP policy). Signs: new AS path through unexpected transit, prefix visible from unexpected vantage points.
- Route hijack: AS announces someone else's prefixes without authorization. Signs: new origin AS, RPKI Invalid state, sudden appearance of prefix from previously uninvolved AS.
- Misconfiguration: Operator error — wrong prefix length, missing filters, wrong community. Often limited to specific peer relationships.
- Prefix deaggregation: Announcing more-specific /24s from a /16 block — can indicate optimization attempt or hijack of subspace.
- Withdrawal storm: Mass withdrawal of prefixes — can indicate BGP session issues, software bug, or deliberate de-peering.
user_template: |
BGP anomaly data:
{{anomaly_data}}
Affected ASN: {{affected_asn}}
Observation time: {{observation_time}}
Observed from: {{vantage_points}}
Generate anomaly hypothesis:
few_shot_examples:
- user: |
BGP anomaly data:
At 14:32 UTC, AS8764 (Telecom Italia) began announcing 12,400 prefixes from AS174 (Cogent) and AS1299 (Telia) that were previously only seen from those ASNs. The prefixes are being propagated via AS8764 to AS3356 (Lumen) and AS6453 (TATA), causing widespread traffic re-routing.
Affected ASN: 8764
Observation time: 2026-04-02 14:32 UTC
Observed from: RIPE RIS RRC01, RRC04, RouteViews Oregon
assistant: |
{
"anomaly_summary": "AS8764 (Telecom Italia) began announcing 12,400 prefixes belonging to AS174 and AS1299, routing traffic through Telecom Italia's network instead of the legitimate origin ASes.",
"anomaly_type": "route_leak",
"severity": "critical",
"hypotheses": [
{
"cause": "AS8764 misconfigured a BGP peer session, applying a policy that re-announces prefixes learned from transit providers (AS174, AS1299) to other transit providers instead of only to customers. Classic full table route leak.",
"confidence": 9,
"evidence": [
"12,400 prefixes suddenly visible via AS8764 that previously only appeared from AS174 and AS1299",
"Leak propagating to AS3356 and AS6453 — both are transit providers of AS8764, confirming it's a customer-to-provider leak",
"Sudden onset at 14:32 UTC suggests configuration change or BGP session reset triggering wrong policy"
],
"affected_networks": ["AS174 (Cogent)", "AS1299 (Telia)", "All downstream customers of AS174/AS1299"],
"attack_or_accident": "likely_accident"
},
{
"cause": "Deliberate traffic interception — AS8764 intentionally announcing foreign prefixes to intercept or monitor traffic flows.",
"confidence": 2,
"evidence": ["Mass announcement of foreign prefixes is consistent with interception"],
"affected_networks": ["AS174", "AS1299"],
"attack_or_accident": "likely_attack"
}
],
"recommended_investigation_steps": [
{
"step": "Check RIPE BGPplay for AS8764 starting at 14:25 UTC to see which session triggered the leak and whether it correlates with a BGP session reset",
"tool": "BGPplay (stat.ripe.net/bgpplay)",
"priority": "immediate"
},
{
"step": "Contact AS8764 NOC immediately via PeeringDB NOC contact — they may be unaware of the leak",
"tool": "PeeringDB NOC lookup",
"priority": "immediate"
},
{
"step": "Monitor RIPE RIS for leak containment — track if AS3356/AS6453 have applied filters or if AS8764 has withdrawn the leaked routes",
"tool": "RIPE RIS live (ris-live.ripe.net)",
"priority": "high"
},
{
"step": "Check MANRS Observatory for AS8764 compliance status — non-compliant operators are more likely to have misconfigured filters",
"tool": "MANRS Observatory (observatory.manrs.org)",
"priority": "medium"
}
],
"affected_prefixes": ["12,400 prefixes from AS174 and AS1299 address space"],
"affected_asns": ["8764", "174", "1299", "3356", "6453"],
"timeline": "Anomaly started at 14:32 UTC 2026-04-02. Sudden onset suggests configuration change or session reset. Duration and resolution unknown at time of analysis."
}
variables:
- anomaly_data
- affected_asn
- observation_time
- vantage_points
- few_shot_examples
validation_rules:
output_must_be_json: true
required_fields: ["anomaly_type", "severity", "hypotheses", "recommended_investigation_steps"]
Reference in New Issue View Git Blame Copy Permalink