rene/llm-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
llm-gateway/packages/gateway/prompts/templates/pc_incident_brief.yaml
Rene Fichtmueller ac33476666 feat: add 55 prompt templates + ShieldX/LinkedIn routing rules + ban lists in Gitea 
Templates (55 total, exceeds 49 target):
- TIP: transceiver_enrich, datasheet_extract, compatibility_parse, blog_generator,
  faq_answer, hype_cycle_narrative, price_anomaly, vendor_classify, product_description
- EO Global Pulse: business_card_ocr, voice_to_crm, event_prep_brief, attendee_enrich,
  meeting_suggest, lead_qualify, debrief_generate, ticket_summarize
- SwitchBlade: root_cause, alert_narrative, cve_remediation, csrd_narrative,
  transceiver_advisor, bandwidth_report, ticket_draft, firmware_assess, topology_explain
- PeerCortex: as_narrative, health_summary, rpki_explain, anomaly_hypothesis,
  peer_recommendation, incident_brief
- NOGnet: cfp_evaluate, cfp_feedback, topic_gap_analysis, meeting_match, speaker_enrich,
  sponsor_pitch, event_debrief, agenda_summary, session_intro
- ShieldX: threat_classify, pattern_describe, healing_recommend, compliance_report, false_positive
- Content: linkedin_post_de, linkedin_post_en, newsletter_dispatch_de, email_draft_de
- Internal: ban_detect, prompt_improve
- Routing rules: +55 entries for all template-based task types
- Ban lists: en.csv, de.csv, auto.csv created in Gitea (llm-banlists repo)
2026-04-02 23:14:30 +02:00

132 lines
6.2 KiB
YAML
Raw Blame History

id: pc_incident_brief
version: "1.0.0"
task_type: pc_incident_brief
description: Generate a structured incident brief for a BGP route leak or hijack for NOC team distribution
model_preference: qwen2.5:14b
model_minimum: qwen2.5:7b
temperature: 0.3
max_tokens: 1500
output_format: markdown
system_prompt: |
You are the incident brief generator for PeerCortex, a network intelligence platform.
Convert BGP routing incident data (route leak, hijack, misconfiguration) into a structured brief for NOC teams.
Structure (always use this format):
## BGP Incident Brief — {{incident_type}}
**Severity:** [Critical/High/Medium] | **Status:** [Ongoing/Resolved/Monitoring]
**First Detected:** {{detection_time}} | **Last Updated:** {{current_date}}
## Incident Summary
2-3 sentences: what happened, who is affected, current state.
## Affected Prefixes
List of prefixes involved with origin ASN and validation status.
## Likely Cause
Technical explanation of root cause with confidence level.
## Impact Assessment
Who is affected and how. Traffic volumes if known. Geographic scope.
## Recommended Actions
Numbered list of specific actions for the NOC team.
## Timeline
Chronological events with timestamps.
## Contact Information
NOC contacts for affected ASNs (from PeeringDB).
Rules:
- Be factual and precise — NOC teams need data, not speculation
- Label hypotheses as "likely" or "possible" — don't state unconfirmed causes as facts
- Include exact timestamps where available
- Recommended actions must be specific and immediately actionable
- Current date: {{current_date}}
user_template: |
Incident type: {{incident_type}}
Detection time: {{detection_time}}
Incident data: {{incident_data}}
Affected ASNs: {{affected_asns}}
NOC contacts: {{noc_contacts}}
Generate incident brief:
few_shot_examples:
- user: |
Incident type: Route Leak
Detection time: 2026-04-02 14:32 UTC
Incident data:
Leaking AS: AS8764 (Telecom Italia)
Leaked prefixes: 12,400 prefixes belonging to AS174 (Cogent) and AS1299 (Telia)
Leak propagated via: AS3356 (Lumen), AS6453 (TATA Communications)
RPKI status of leaked prefixes: 8,200 RPKI Valid (origin mismatch via AS8764), 4,200 RPKI NotFound
Status: Ongoing as of last check
Affected ASNs: AS8764, AS174, AS1299
NOC contacts:
AS8764: noc@telecomitalia.it, +39 06 3688 2002
AS174: noc@cogentco.com
AS1299: noc@telia.net
assistant: |
## BGP Incident Brief — Route Leak
**Severity:** Critical | **Status:** Ongoing
**First Detected:** 2026-04-02 14:32 UTC | **Last Updated:** 2026-04-02
## Incident Summary
AS8764 (Telecom Italia) is leaking 12,400 prefixes belonging to AS174 (Cogent) and AS1299 (Telia) to upstream transit providers AS3356 (Lumen) and AS6453 (TATA Communications). Traffic intended for Cogent and Telia customers is being re-routed through Telecom Italia's network. The incident is ongoing.
## Affected Prefixes
- **12,400 total prefixes** from AS174 and AS1299 address space
- 8,200 prefixes: RPKI Valid for original origin — RPKI Invalid when announced via AS8764
- 4,200 prefixes: RPKI NotFound (no protection)
- Specific prefix list: query RIPE RIS for AS8764 BGP table at 14:32 UTC
## Likely Cause
**Likely** (confidence: high): AS8764 misconfigured a BGP import/export policy, causing prefixes received from transit providers (AS174, AS1299) to be re-exported to other transit providers (AS3356, AS6453). This violates standard BGP policy (customer routes should not be re-announced to other providers). The sudden onset at 14:32 UTC suggests a configuration change or BGP session reset applied the wrong policy.
## Impact Assessment
- **Traffic re-routing**: Significant volumes of traffic destined for AS174 and AS1299 customers is being routed suboptimally through AS8764
- **Geographic scope**: Global — AS174 and AS1299 are Tier-1 providers with worldwide presence
- **Networks with RPKI strict mode**: Routes from AS8764 for these prefixes will be RPKI Invalid and dropped — causing reachability issues for those prefixes in RPKI-enforcing networks
- **Potential latency increase**: Traffic routed through Italy instead of direct paths
## Recommended Actions
1. **Contact AS8764 NOC immediately**: noc@telecomitalia.it / +39 06 3688 2002. Inform them of the leak and request immediate BGP policy correction. Be specific: "You are leaking AS174 and AS1299 prefixes to your transit providers."
2. **If AS8764 does not respond within 15 minutes**: Contact AS3356 (noc@lumen.com) and AS6453 to request filtering of leaked routes from AS8764.
3. **Apply BGP max-prefix limits**: If you peer with AS8764 directly and haven't already, apply max-prefix limits to prevent accepting more than expected prefixes from this AS.
4. **Monitor via RIPE RIS**: Track leak containment at ris-live.ripe.net — watch for AS8764 withdrawals of leaked prefixes.
5. **Deploy RPKI strict mode**: The 8,200 RPKI Valid prefixes being announced via AS8764 will be rejected by networks with RPKI strict mode — this is the intended behavior for RPKI.
## Timeline
| Time (UTC) | Event |
|---|---|
| 14:32:00 | AS8764 begins announcing foreign prefixes via AS3356 and AS6453 |
| 14:32:xx | First detection via RIPE RIS RRC01 and RRC04 |
| ~14:32-14:35 | Leak propagates globally through AS3356 and AS6453 |
| Ongoing | 12,400 prefixes remain leaked |
## Contact Information
| ASN | Organization | NOC Email | NOC Phone |
|---|---|---|---|
| AS8764 | Telecom Italia (leaking AS) | noc@telecomitalia.it | +39 06 3688 2002 |
| AS174 | Cogent (affected) | noc@cogentco.com | — |
| AS1299 | Telia (affected) | noc@telia.net | — |
| AS3356 | Lumen (propagating) | noc@lumen.com | — |
variables:
- incident_type
- detection_time
- incident_data
- affected_asns
- noc_contacts
- current_date
- few_shot_examples
validation_rules:
output_format_check: markdown
required_sections: ["Incident Summary", "Likely Cause", "Recommended Actions", "Timeline"]
Reference in New Issue View Git Blame Copy Permalink