365,930 network events in 48 hours. That's how much traffic flows through my homelab every two days. TCP flows, TLS handshakes, DNS queries, SSH attempts, WordPress scans. Buried in that noise: 571 real alerts and 4 Remote Code Execution attempts.
Most homelabbers install Suricata, stare at the logs for a week, then give up. Too much noise, too many false positives, zero context. I decided to fix this differently: I built AIWALL, a network defense system that uses an LLM to analyze alerts, a Raspberry Pi 5 as an active gateway, and a multi-source correlator that cross-references Suricata, DNS sinkholes, and reverse proxy logs. Fully self-hosted, zero recurring cost.
It works. It's been running in production for weeks. Here's how I built it and what I learned.
Architecture: three nodes, one brain
AIWALL isn't a single daemon on a server. It's a distributed system across three nodes, each with a specific role.
text
Internet
|
v
[ Cloudflare Tunnel ] --> [ Reverse Proxy ] --> Web apps on LAN
|
v
+-----------------------------------------------------------+
| RPi 5 - GATEWAY |
| Suricata IPS + DNS sinkhole (Blocky) |
| API agent + nftables ban/rate-limit |
+-----------------------------------------------------------+
|
v
+-----------------------------------------------------------+
| Proxmox Host - PASSIVE SENSOR |
| Suricata IDS (2 interfaces) + CrowdSec |
+-----------------------------------------------------------+
|
v
+-----------------------------------------------------------+
| LXC Container - ORCHESTRATOR (the brain) |
| Scoring engine + LLM (Groq) + Correlator + Telegram bot |
| Alert store (SQLite) + Prometheus metrics + Dashboard |
+-----------------------------------------------------------+
|
v
[ Monitoring: Grafana + Loki + Prometheus ]
The Raspberry Pi 5 is the physical network gateway. All traffic passes through it. Suricata runs in IPS mode, combining passive analysis with active dropping of malicious packets. On the same machine, Blocky acts as a DNS sinkhole blocking 280,000 domains across malware, phishing, tracking, and advertising categories.
The Proxmox host acts as a passive sensor. Suricata IDS monitors two network interfaces: one for LAN traffic, one for the VPN overlay (Tailscale). CrowdSec analyzes logs and maintains a community blocklist of over
Iscriviti alla newsletter per ricevere i migliori articoli direttamente nella tua inbox.
Cybersecurity
CVE-2026-7482, Bleeding Llama fa sanguinare 300mila server Ollama
CVE-2026-7482: con tre chiamate API la vulnerabilita Ollama 2026 Bleeding Llama leakka memoria e token da 300k server esposti. Patch e mitigazioni.
5,000 known malicious IPs
updated in real time.
The orchestrator container is the brain. Over 9,000 lines of Python that read Suricata EVE events, score them with a deterministic engine, correlate alerts from different sources, invoke an LLM when needed, and send Telegram notifications with inline buttons to ban or ignore. All running on an LXC container with 1 GB of RAM.
The scoring engine: the LLM advises, it doesn't decide
This is AIWALL's most important architectural principle. The risk score is deterministic. The LLM is an advisor, not a decision-maker. I've seen too many projects delegate alert classification to a language model and end up with hallucinated false positives or, worse, real threats downgraded because the model lacked context.
Every Suricata alert has a severity level. The scoring engine assigns base weights per severity, then applies context multipliers:
Internal LAN traffic: reduced weight — containers talking to each other aren't a threat
IPs with bad reputation (CrowdSec, AbuseIPDB): significantly increased weight
Traffic already mitigated by IPS: excluded from analysis to reduce noise
The result is a score from 0 to 100. The LLM is only invoked when the score exceeds a configurable threshold. In the last 48 hours, out of 148 completed analyses, the LLM was called only 18 times. The vast majority of traffic is handled by the deterministic scoring alone. That means fewer API calls, lower latency, less noise.
Groq Llama 3.3 70B: the analyst that never sleeps
When the score crosses the threshold, AIWALL sends the alert batch to Groq running llama-3.3-70b-versatile. Why Groq? Three reasons: it's free (free tier), it's fast (0.85 second average response time in my system), and the 70B model is capable enough for security analysis without being overkill.
The LLM receives three layers of context: the current batch of filtered alerts, a 30-minute history window to spot evolving patterns, and a 6-hour IP tracker to identify multi-phase attacks — the same IP scanning SSH ports first, then attempting an HTTP exploit.
The response is structured JSON: risk level, summary, suspicious IPs, identified patterns, and an actionable recommendation. If the JSON doesn't parse, AIWALL degrades gracefully — logs the error and moves on. Zero LLM errors in production so far.
The correlator: when a single alert isn't enough
A standalone Suricata alert tells you little. A Suricata alert + a DNS malware block from the same IP within minutes tells you a lot. That's what the multi-source correlator does.
AIWALL cross-references three sources: Suricata alerts (signature-based), DNS sinkhole blocks (reputation-based), and reverse proxy logs (pattern-based). When sources converge, the correlator generates composite alerts with elevated priority.
Three correlation types implemented:
CORRELATED_C2 (critical): Suricata detects a C2 signature + DNS sinkhole blocks a malware/phishing domain from the same IP within minutes. The strongest signal: the client is trying to reach a command and control server
DNS_SURICATA_WEAK (medium): DNS sinkhole blocks something + Suricata generates a low-confidence alert from the same IP. 33 detections in the last 48 hours — mostly aggressive telemetry
DNS_ANOMALY (high): multiple blocked domains from the same LAN client in a short window. Signal of malware enumerating DGA domains
In two days of production: 33 DNS_SURICATA_WEAK correlations and 6 total correlated events. The correlator identified patterns that no single source would have caught alone.
JA3: TLS fingerprints to catch Cobalt Strike
Every TLS client has a fingerprint — the JA3 hash — computed from the handshake parameters. Cobalt Strike, Metasploit, Sliver, Empire: each has a known JA3. AIWALL maintains a database of 25 known malicious hashes and matches them in real time against every TLS handshake captured by Suricata.
Most IDS solutions only watch external traffic. But lateral movement — an attacker moving between internal nodes after compromising a service — happens entirely within the LAN. AIWALL has a dedicated module for this.
The internal monitor works in two phases. During the learn phase, it observes all LAN traffic and builds a baseline: which containers talk to which, on which ports, how often. Over 120 flows in the current baseline, tens of thousands of internal flows processed. In the enforce phase, any connection outside the baseline is flagged as anomalous — potential lateral movement. The system can alert, limit, or block anomalous traffic based on configuration.
Telegram: human-in-the-loop with inline buttons
An IDS that only sends notifications is an IDS you'll ignore after three days. AIWALL has a full-featured Telegram bot with commands, inline buttons, and an approval system for blocking actions.
When a critical alert fires, the bot sends a notification with three buttons: [Ban], [Rate-Limit], and [Ignore]. Hit Ban and the IP is blocked on the gateway in real time. The system supports both human approval mode and fully automatic mode, configurable per risk level.
The bot supports 15 commands: real-time status, top suspicious IPs, per-IP alert history, daily stats, manual ban/unban. I manage my homelab security from my phone while standing in line at the grocery store.
36 WordPress scans and 4 RCE attempts in 48 hours
The reverse proxy log reader caught in the last 48 hours: 36 WordPress scan attempts (path traversal to wp-admin, wp-login, xmlrpc.php) and 4 Remote Code Execution attempts. Automated scanners try everything regardless of the actual stack.
On the DNS front, the sinkhole blocked nearly 100 requests across telemetry, beacons, advertising, and other categories. One potential DNS tunneling attempt detected. The numbers seem low? That's because it's working: 280,000 domains already blocked at the DNS level means most malicious traffic never even reaches Suricata.
50+ Prometheus metrics: IDS observability
AIWALL exposes over 50 Prometheus metrics. Real-time risk score, LLM latency, events by type, alerts by severity, correlations, internal anomalies, Telegram bot health, web attacks, DNS blocks. Everything feeds into Grafana.
The numbers that matter after 48 hours in production:
571 alerts in the database, 172 scored above the noise threshold
148 analyses completed, 18 LLM invocations (the rest handled by deterministic scoring alone)
Average LLM latency: 0.85 seconds
Zero LLM errors, zero Telegram errors
Over 5,000 IPs in the CrowdSec community blocklist
120+ flows in the internal baseline, tens of thousands of flows processed
The bill: what AIWALL actually costs
Nothing. Or close to it.
Groq API: free tier (30 requests/minute — more than enough)
AbuseIPDB: free tier (1,000 queries/day)
Telegram Bot API: free
Raspberry Pi 5 8GB: ~$90 (one-time)
LXC orchestrator container: 1 GB RAM on hardware you already own
RPi 5 power consumption: ~5W idle — under $10/year in electricity
A Darktrace deployment starts at $50,000/year. CrowdStrike Falcon Go costs $60/device/year. AIWALL isn't at their level — it doesn't have machine learning on petabytes of telemetry — but for a homelab with a dozen containers and several public domains, it gets the job done. For free.
Want to build it? Here's where to start
AIWALL isn't a product. It's a project I built for my homelab that you can adapt to yours. You'll need:
A Linux gateway (RPi 5, old PC, dedicated VM) running Suricata and a DNS sinkhole
A container or VM for the Python orchestrator (1 GB RAM is enough)
A free Groq account for the LLM
A Telegram bot for notifications (5 minutes to set up with BotFather)
Optional: Prometheus + Grafana for dashboards (but you can start without)
If you build it, drop me a message — I want to know what you detect on your network.
I have a dozen containers, several public domains, and a $90 Raspberry Pi watching over all of it. In 48 hours it processed 365,930 events, caught 4 RCE attempts, correlated 33 suspicious patterns, and produced zero critical false positives. Does your homelab know who's knocking at the door?
