Metadata-Version: 2.4
Name: cnsl
Version: 3.0.0
Summary: Correlated Network Security Layer — A self-hosted SIEM for Linux
Author-email: Rahad Bhuiya <rahadbhuiya2021@gmail.com>
License-Expression: MIT
Project-URL: Homepage, https://github.com/rahadbhuiya/cnsl
Project-URL: Documentation, https://github.com/rahadbhuiya/cnsl/tree/main/docs
Project-URL: Repository, https://github.com/rahadbhuiya/cnsl
Project-URL: Bug Tracker, https://github.com/rahadbhuiya/cnsl/issues
Project-URL: Changelog, https://github.com/rahadbhuiya/cnsl#changelog
Keywords: security,siem,ssh,brute-force,iptables,ipset,intrusion-detection,threat-detection,linux,honeypot,ml,anomaly-detection
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Operating System :: POSIX :: Linux
Classifier: Topic :: Security
Classifier: Topic :: System :: Networking :: Monitoring
Classifier: Intended Audience :: System Administrators
Classifier: Development Status :: 5 - Production/Stable
Requires-Python: >=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Provides-Extra: notify
Requires-Dist: aiohttp>=3.9; extra == "notify"
Provides-Extra: db
Requires-Dist: aiosqlite>=0.19; extra == "db"
Provides-Extra: yaml
Requires-Dist: pyyaml>=6.0; extra == "yaml"
Provides-Extra: auth
Requires-Dist: bcrypt>=4.0; extra == "auth"
Requires-Dist: PyJWT>=2.8; extra == "auth"
Provides-Extra: 2fa
Requires-Dist: pyotp>=2.9; extra == "2fa"
Provides-Extra: geoip
Requires-Dist: geoip2>=4.7; extra == "geoip"
Provides-Extra: ml
Requires-Dist: scikit-learn>=1.4; extra == "ml"
Requires-Dist: numpy>=1.26; extra == "ml"
Provides-Extra: reports
Requires-Dist: reportlab>=4.0; extra == "reports"
Provides-Extra: redis
Requires-Dist: redis>=5.0; extra == "redis"
Provides-Extra: kafka
Requires-Dist: aiokafka>=0.10; extra == "kafka"
Provides-Extra: full
Requires-Dist: aiohttp>=3.9; extra == "full"
Requires-Dist: aiosqlite>=0.19; extra == "full"
Requires-Dist: pyyaml>=6.0; extra == "full"
Requires-Dist: bcrypt>=4.0; extra == "full"
Requires-Dist: PyJWT>=2.8; extra == "full"
Requires-Dist: pyotp>=2.9; extra == "full"
Requires-Dist: scikit-learn>=1.4; extra == "full"
Requires-Dist: numpy>=1.26; extra == "full"
Requires-Dist: reportlab>=4.0; extra == "full"
Provides-Extra: dev
Requires-Dist: pytest>=7; extra == "dev"
Requires-Dist: pytest-asyncio; extra == "dev"
Requires-Dist: pytest-timeout; extra == "dev"
Requires-Dist: pytest-cov; extra == "dev"
Requires-Dist: aiohttp>=3.9; extra == "dev"
Requires-Dist: aiosqlite>=0.19; extra == "dev"
Requires-Dist: pyyaml>=6.0; extra == "dev"
Requires-Dist: bcrypt>=4.0; extra == "dev"
Requires-Dist: PyJWT>=2.8; extra == "dev"
Requires-Dist: pyotp>=2.9; extra == "dev"
Requires-Dist: scikit-learn>=1.4; extra == "dev"
Requires-Dist: numpy>=1.26; extra == "dev"
Requires-Dist: reportlab>=4.0; extra == "dev"
Dynamic: license-file

<div align="center">

# CNSL

### Correlated Network Security Layer

<p>
  <a href="https://github.com/rahadbhuiya/cnsl/actions"><img src="https://github.com/rahadbhuiya/cnsl/actions/workflows/ci.yml/badge.svg" alt="CI"></a>
  <a href="https://pypi.org/project/cnsl"><img src="https://img.shields.io/pypi/v/cnsl" alt="PyPI"></a>
  <a href="https://www.python.org"><img src="https://img.shields.io/badge/python-3.10%2B-blue" alt="Python 3.10+"></a>
  <a href="LICENSE"><img src="https://img.shields.io/badge/License-MIT-green.svg" alt="MIT License"></a>
</p>

**A self-hosted SIEM for Linux.**  
Detects attacks that span SSH, web, database, and cloud logs simultaneously -- then blocks them automatically.

</div>

---

## What it does

Most tools watch one log and count failures. CNSL watches everything at once.

When an attacker scans your web server, probes your database, then tries SSH with stolen credentials -- CNSL sees all three as one coordinated attack and responds before the breach completes.

```
Web scan      from 45.33.32.1  --+
SSH brute     from 45.33.32.1  --+--->  HIGH alert + auto-block
DB auth fail  from 45.33.32.1  --+
```

It also tracks how far each attacker has progressed through the kill chain, learns new attack patterns automatically, and shares threat intelligence across multiple servers in real time.

---

## Quick start

```bash
pip install cnsl[full]
sudo python -m cnsl --dashboard --no-tcpdump
# Open http://127.0.0.1:8765
# Default login: admin / cnsl-change-me
```

Or from source:

```bash
git clone https://github.com/rahadbhuiya/cnsl.git
cd cnsl
python3 -m venv venv && source venv/bin/activate
pip install -e ".[full]"
sudo venv/bin/python -m cnsl --dashboard --no-tcpdump
```

> Start in dry-run mode (default) -- no real blocks until you add `--execute`.

---

## Dashboard

Enable with `--dashboard`. Runs at `http://127.0.0.1:8765`.

Tabs: Overview, Incidents, Blocks, Live Feed, Kill Chain, Graph, Cases, UEBA, ML, Honeypot, FIM, Rules, Rate Limit, Settings.

For remote access use an SSH tunnel:
```bash
ssh -L 8765:127.0.0.1:8765 user@yourserver
```

---

## Configuration

Copy and edit the example config:

```bash
cp config/config.example.json /etc/cnsl/config.json
```

All options are documented in [`docs/configuration.md`](docs/configuration.md).  
Key sections: `thresholds`, `actions`, `dashboard`, `notifications`, `redis`, `cloud_identity`, `zero_trust`, `siem`, `federation`.

---

## Documentation

| Document | What it covers |
|:---|:---|
| [`docs/installation.md`](docs/installation.md) | Full install, systemd, Docker |
| [`docs/configuration.md`](docs/configuration.md) | Every config option explained |
| [`docs/features.md`](docs/features.md) | Complete feature list |
| [`docs/architecture.md`](docs/architecture.md) | Module structure and design |
| [`docs/kill-chain.md`](docs/kill-chain.md) | Kill chain tracker |
| [`docs/federation.md`](docs/federation.md) | Multi-node setup |
| [`docs/cloud-identity.md`](docs/cloud-identity.md) | AWS + Azure AD integration |
| [`docs/zero-trust.md`](docs/zero-trust.md) | Trust score engine |
| [`docs/siem-connectors.md`](docs/siem-connectors.md) | Splunk, Sentinel, Webhook push |
| [`docs/pattern-learning.md`](docs/pattern-learning.md) | Automated rule discovery |
| [`docs/api.md`](docs/api.md) | Full REST API reference |
| [`docs/ot-iot.md`](docs/ot-iot.md) | OT/ICS protocol support (Modbus, DNP3, SCADA) |
| [`docs/changelog.md`](docs/changelog.md) | Version history |
| [`docs/`](docs/) | All documentation (26 guides) |

---

## Requirements

- Linux (Ubuntu 20.04+ / Debian 11+ / RHEL 8+)
- Python 3.10+
- Root or `CAP_NET_ADMIN` for iptables blocking

Optional: Redis (distributed blocklist + federation), MaxMind GeoIP database.

---

## License

MIT. See [LICENSE](LICENSE).
