Upload folder using huggingface_hub

app.py

@@ -1,277 +1,327 @@
 #!/usr/bin/env python3
-"""
-C2Sentinel Demo - HuggingFace Space
-Interactive demo for testing C2 beacon detection.
-"""
+"""C2Sentinel - HuggingFace Space Demo"""
 
 import gradio as gr
 import json
+import re
+from datetime import datetime
 from huggingface_hub import hf_hub_download
 
-# Download model files
-model_dir = "."
-hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2sentinel.py", local_dir=model_dir)
-hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2_sentinel.safetensors", local_dir=model_dir)
-hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2_sentinel.json", local_dir=model_dir)
-
+# Download and load model
+hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2sentinel.py", local_dir=".")
+hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2_sentinel.safetensors", local_dir=".")
+hf_hub_download(repo_id="danielostrow/c2sentinel", filename="c2_sentinel.json", local_dir=".")
 from c2sentinel import C2Sentinel
-
-# Load model
 sentinel = C2Sentinel.load('c2_sentinel')
 
-# Example connection data
+# Examples
 EXAMPLES = {
-    "-- Select Example --": "",
-    "C2 Beacon (60s intervals)": json.dumps([
-        {"timestamp": 1705600000, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600060, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600120, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600180, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600240, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600300, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600360, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-        {"timestamp": 1705600420, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-    ], indent=2),
-    "Metasploit Port 4444": json.dumps([
-        {"timestamp": 1705600000, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
-        {"timestamp": 1705600030, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
-        {"timestamp": 1705600060, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
-        {"timestamp": 1705600090, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
-        {"timestamp": 1705600120, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
-    ], indent=2),
-    "SSH Keepalive (Legitimate)": json.dumps([
-        {"timestamp": 1705600000, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-        {"timestamp": 1705600030, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-        {"timestamp": 1705600060, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-        {"timestamp": 1705600090, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-        {"timestamp": 1705600120, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-        {"timestamp": 1705600150, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
-    ], indent=2),
-    "Web Browsing (Legitimate)": json.dumps([
+    "C2 Beacon (60s)": [
+        {"timestamp": 1705600000+i*60, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}
+        for i in range(8)
+    ],
+    "Metasploit 4444": [
+        {"timestamp": 1705600000+i*30, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300}
+        for i in range(6)
+    ],
+    "SSH Keepalive": [
+        {"timestamp": 1705600000+i*30, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48}
+        for i in range(6)
+    ],
+    "Web Traffic": [
         {"timestamp": 1705600000, "dst_ip": "93.184.216.34", "dst_port": 443, "bytes_sent": 500, "bytes_recv": 15000},
-        {"timestamp": 1705600002, "dst_ip": "93.184.216.34", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 8000},
-        {"timestamp": 1705600010, "dst_ip": "151.101.1.140", "dst_port": 443, "bytes_sent": 800, "bytes_recv": 45000},
-        {"timestamp": 1705600015, "dst_ip": "172.217.14.206", "dst_port": 443, "bytes_sent": 300, "bytes_recv": 12000},
+        {"timestamp": 1705600002, "dst_ip": "151.101.1.140", "dst_port": 443, "bytes_sent": 800, "bytes_recv": 45000},
+        {"timestamp": 1705600010, "dst_ip": "172.217.14.206", "dst_port": 443, "bytes_sent": 300, "bytes_recv": 12000},
+        {"timestamp": 1705600015, "dst_ip": "93.184.216.34", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 8000},
         {"timestamp": 1705600025, "dst_ip": "151.101.1.140", "dst_port": 443, "bytes_sent": 150, "bytes_recv": 5000},
-    ], indent=2),
-    "Slow Beacon (5 min)": json.dumps([
-        {"timestamp": 1705600000, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
-        {"timestamp": 1705600300, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
-        {"timestamp": 1705600600, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
-        {"timestamp": 1705600900, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
-        {"timestamp": 1705601200, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
-    ], indent=2),
+    ],
 }
 
 
-def parse_log_file(file_content: str) -> list:
-    """Parse various log file formats into connection records."""
+def parse_timestamp(ts_str):
+    """Parse various timestamp formats to unix timestamp."""
+    if not ts_str:
+        return None
+
+    # Already numeric
+    try:
+        ts = float(ts_str)
+        if ts > 1e12:  # milliseconds
+            return ts / 1000
+        return ts
+    except:
+        pass
+
+    # Common date formats
+    formats = [
+        "%Y-%m-%dT%H:%M:%S.%fZ",
+        "%Y-%m-%dT%H:%M:%SZ",
+        "%Y-%m-%dT%H:%M:%S.%f",
+        "%Y-%m-%dT%H:%M:%S",
+        "%Y-%m-%d %H:%M:%S.%f",
+        "%Y-%m-%d %H:%M:%S",
+        "%b %d %H:%M:%S",
+        "%b  %d %H:%M:%S",
+        "%d/%b/%Y:%H:%M:%S",
+    ]
+
+    for fmt in formats:
+        try:
+            dt = datetime.strptime(ts_str.strip(), fmt)
+            if dt.year == 1900:
+                dt = dt.replace(year=datetime.now().year)
+            return dt.timestamp()
+        except:
+            continue
+    return None
+
+
+def extract_ip_port(text):
+    """Extract IP and port from various formats."""
+    # IP:port format
+    m = re.search(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}):(\d+)', text)
+    if m:
+        return m.group(1), int(m.group(2))
+
+    # Just IP
+    m = re.search(r'(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', text)
+    if m:
+        return m.group(1), None
+
+    return None, None
+
+
+def parse_logs(content):
+    """Parse multiple log formats into connection records."""
     connections = []
-    lines = file_content.strip().split('\n')
+    lines = content.strip().split('\n')
 
     for line in lines:
         line = line.strip()
         if not line or line.startswith('#'):
             continue
 
+        conn = None
+
+        # 1. JSON format
         try:
-            record = json.loads(line)
-            if 'dst_ip' in record or 'id.resp_h' in record:
-                conn = {
-                    'timestamp': record.get('timestamp', record.get('ts', 0)),
-                    'dst_ip': record.get('dst_ip', record.get('id.resp_h', '')),
-                    'dst_port': int(record.get('dst_port', record.get('id.resp_p', 0))),
-                    'bytes_sent': int(record.get('bytes_sent', record.get('orig_bytes', 0) or 0)),
-                    'bytes_recv': int(record.get('bytes_recv', record.get('resp_bytes', 0) or 0)),
-                }
-                if conn['dst_ip']:
-                    connections.append(conn)
-                continue
-        except (json.JSONDecodeError, ValueError):
+            obj = json.loads(line)
+            conn = {
+                'timestamp': parse_timestamp(obj.get('timestamp') or obj.get('ts') or obj.get('@timestamp') or obj.get('EventTime') or obj.get('time')),
+                'dst_ip': obj.get('dst_ip') or obj.get('dest_ip') or obj.get('id.resp_h') or obj.get('DestinationIP') or obj.get('dst') or obj.get('destination_ip'),
+                'dst_port': obj.get('dst_port') or obj.get('dest_port') or obj.get('id.resp_p') or obj.get('DestinationPort') or obj.get('dport'),
+                'bytes_sent': obj.get('bytes_sent') or obj.get('orig_bytes') or obj.get('SentBytes') or obj.get('out_bytes') or 0,
+                'bytes_recv': obj.get('bytes_recv') or obj.get('resp_bytes') or obj.get('ReceivedBytes') or obj.get('in_bytes') or 0,
+            }
+        except json.JSONDecodeError:
             pass
 
-        parts = line.split('\t')
-        if len(parts) >= 10:
-            try:
+        # 2. Zeek/Bro conn.log (tab-separated)
+        if not conn:
+            parts = line.split('\t')
+            if len(parts) >= 10:
+                try:
+                    conn = {
+                        'timestamp': parse_timestamp(parts[0]),
+                        'dst_ip': parts[4] if parts[4] != '-' else None,
+                        'dst_port': int(parts[5]) if parts[5] != '-' else None,
+                        'bytes_sent': int(parts[9]) if len(parts) > 9 and parts[9] != '-' else 0,
+                        'bytes_recv': int(parts[10]) if len(parts) > 10 and parts[10] != '-' else 0,
+                    }
+                except:
+                    pass
+
+        # 3. Syslog format (various)
+        if not conn:
+            # Standard syslog: "Mon DD HH:MM:SS host process: message"
+            syslog_match = re.match(r'^(\w{3}\s+\d{1,2}\s+\d{2}:\d{2}:\d{2})\s+\S+\s+\S+:\s*(.*)$', line)
+            if syslog_match:
+                ts = parse_timestamp(syslog_match.group(1))
+                msg = syslog_match.group(2)
+                dst_ip, dst_port = extract_ip_port(msg)
+
+                bytes_match = re.search(r'(\d+)\s*bytes?', msg, re.I)
+                bytes_val = int(bytes_match.group(1)) if bytes_match else 100
+
+                if dst_ip:
+                    conn = {
+                        'timestamp': ts,
+                        'dst_ip': dst_ip,
+                        'dst_port': dst_port or 443,
+                        'bytes_sent': bytes_val // 2,
+                        'bytes_recv': bytes_val // 2,
+                    }
+
+        # 4. Windows Event Log (XML-ish or key=value)
+        if not conn:
+            # Key=value format
+            if '=' in line:
+                kv = dict(re.findall(r'(\w+)=("[^"]*"|\S+)', line))
+                for k in list(kv.keys()):
+                    kv[k] = kv[k].strip('"')
+
+                dst_ip = kv.get('DestAddress') or kv.get('DestinationIp') or kv.get('dst') or kv.get('RemoteAddress')
+                dst_port = kv.get('DestPort') or kv.get('DestinationPort') or kv.get('dport') or kv.get('RemotePort')
+                ts = kv.get('TimeGenerated') or kv.get('EventTime') or kv.get('timestamp')
+
+                if dst_ip:
+                    conn = {
+                        'timestamp': parse_timestamp(ts) if ts else datetime.now().timestamp(),
+                        'dst_ip': dst_ip,
+                        'dst_port': int(dst_port) if dst_port and dst_port.isdigit() else 443,
+                        'bytes_sent': int(kv.get('SentBytes', 100)),
+                        'bytes_recv': int(kv.get('ReceivedBytes', 100)),
+                    }
+
+        # 5. CSV format
+        if not conn and ',' in line and not line.startswith('{'):
+            parts = [p.strip().strip('"') for p in line.split(',')]
+            if len(parts) >= 4:
+                # Try to identify columns
+                for i, p in enumerate(parts):
+                    ip, port = extract_ip_port(p)
+                    if ip:
+                        ts = None
+                        for j, q in enumerate(parts):
+                            ts = parse_timestamp(q)
+                            if ts:
+                                break
+
+                        conn = {
+                            'timestamp': ts or datetime.now().timestamp(),
+                            'dst_ip': ip,
+                            'dst_port': port or 443,
+                            'bytes_sent': 100,
+                            'bytes_recv': 100,
+                        }
+
+                        # Look for bytes
+                        for p in parts:
+                            if p.isdigit() and int(p) > 0:
+                                conn['bytes_sent'] = int(p)
+                                break
+                        break
+
+        # 6. Generic IP extraction as fallback
+        if not conn:
+            dst_ip, dst_port = extract_ip_port(line)
+            if dst_ip:
+                ts = parse_timestamp(re.search(r'[\d\-T:\.Z]+', line).group() if re.search(r'[\d\-T:\.Z]+', line) else None)
                 conn = {
-                    'timestamp': float(parts[0]),
-                    'dst_ip': parts[4],
-                    'dst_port': int(parts[5]),
-                    'bytes_sent': int(parts[9] if parts[9] != '-' else 0),
-                    'bytes_recv': int(parts[10] if len(parts) > 10 and parts[10] != '-' else 0),
+                    'timestamp': ts or datetime.now().timestamp(),
+                    'dst_ip': dst_ip,
+                    'dst_port': dst_port or 443,
+                    'bytes_sent': 100,
+                    'bytes_recv': 100,
                 }
-                connections.append(conn)
-            except (ValueError, IndexError):
-                pass
+
+        # Validate and add
+        if conn and conn.get('dst_ip') and conn.get('timestamp'):
+            conn['dst_port'] = int(conn['dst_port'] or 443)
+            conn['bytes_sent'] = int(conn['bytes_sent'] or 0)
+            conn['bytes_recv'] = int(conn['bytes_recv'] or 0)
+            connections.append(conn)
 
     return connections
 
 
-def analyze_connections(
-    connection_json: str,
-    uploaded_file,
-    threshold: float,
-    strict_mode: bool,
-    whitelist_ips: str,
-    blacklist_ips: str
-) -> str:
-    """Analyze connection data and return results."""
+def analyze(input_text, file_obj, example, threshold, whitelist, blacklist):
+    """Main analysis function."""
     try:
-        # Reset whitelist/blacklist
+        # Reset lists
         sentinel.whitelist_ips = set()
-        sentinel.whitelist_domains = set()
         sentinel.blacklist_ips = set()
-        sentinel.blacklist_domains = set()
-
-        # Apply whitelist
-        if whitelist_ips and whitelist_ips.strip():
-            ips = [ip.strip() for ip in whitelist_ips.split(',') if ip.strip()]
-            sentinel.add_whitelist(ips=ips)
 
-        # Apply blacklist
-        if blacklist_ips and blacklist_ips.strip():
-            ips = [ip.strip() for ip in blacklist_ips.split(',') if ip.strip()]
-            sentinel.add_blacklist(ips=ips)
+        if whitelist:
+            sentinel.add_whitelist(ips=[ip.strip() for ip in whitelist.split(',') if ip.strip()])
+        if blacklist:
+            sentinel.add_blacklist(ips=[ip.strip() for ip in blacklist.split(',') if ip.strip()])
 
         # Get connections
         connections = []
 
-        if uploaded_file is not None:
-            file_content = uploaded_file.decode('utf-8') if isinstance(uploaded_file, bytes) else open(uploaded_file, 'r').read()
-            connections = parse_log_file(file_content)
+        if file_obj:
+            content = file_obj.decode('utf-8') if isinstance(file_obj, bytes) else open(file_obj, 'r').read()
+            connections = parse_logs(content)
             if not connections:
                 try:
-                    connections = json.loads(file_content)
+                    connections = json.loads(content)
                 except:
                     pass
 
-        if not connections and connection_json and connection_json.strip():
-            connections = json.loads(connection_json)
+        if not connections and example and example in EXAMPLES:
+            connections = EXAMPLES[example]
+
+        if not connections and input_text:
+            connections = parse_logs(input_text)
+            if not connections:
+                try:
+                    connections = json.loads(input_text)
+                except:
+                    pass
 
-        if not isinstance(connections, list):
-            return "## Error\nInput must be a JSON array of connection objects"
+        if not connections:
+            return "⚠️ No valid connections found. Check input format."
 
         if len(connections) < 3:
-            return "## Error\nNeed at least 3 connections for analysis"
+            return f"⚠️ Need 3+ connections (found {len(connections)})"
 
-        # Run analysis
-        result = sentinel.analyze(connections, threshold=threshold, strict_mode=strict_mode)
+        # Analyze
+        result = sentinel.analyze(connections, threshold=threshold)
 
-        # Format result
+        # Format output
         if result.is_c2:
-            output = f"## 🚨 C2 DETECTED: {result.c2_type}\n\n"
+            out = f"### 🚨 C2 DETECTED\n**Type:** {result.c2_type}\n\n"
         else:
-            output = "## ✅ No C2 Detected\n\n"
+            out = "### ✅ No C2 Detected\n\n"
 
-        output += f"| Metric | Value |\n|--------|-------|\n"
-        output += f"| Probability | {result.c2_probability:.1%} |\n"
-        output += f"| Confidence | {result.confidence:.1%} |\n"
-        output += f"| Detection Method | {result.detection_method} |\n"
-        output += f"| Connections | {len(connections)} |\n"
+        out += f"**Probability:** {result.c2_probability:.0%} · **Confidence:** {result.confidence:.0%} · **Connections:** {len(connections)}\n\n"
 
         if result.matched_legitimate_pattern:
-            output += f"| Matched Pattern | {result.matched_legitimate_pattern} |\n"
+            out += f"**Pattern:** {result.matched_legitimate_pattern}\n\n"
 
         if result.risk_factors:
-            output += "\n### Risk Factors\n"
-            for f in result.risk_factors[:5]:
-                output += f"- {f}\n"
-
-        if result.mitigating_factors:
-            output += "\n### Mitigating Factors\n"
-            for f in result.mitigating_factors[:5]:
-                output += f"- {f}\n"
+            out += "**Risk:** " + " · ".join(result.risk_factors[:3]) + "\n\n"
 
-        if result.recommendations:
-            output += "\n### Recommendations\n"
-            for r in result.recommendations[:3]:
-                output += f"- {r}\n"
+        if result.recommendations and result.is_c2:
+            out += "**Action:** " + result.recommendations[0] + "\n"
 
-        return output
+        return out
 
-    except json.JSONDecodeError as e:
-        return f"## Error\nInvalid JSON: {str(e)}"
     except Exception as e:
-        return f"## Error\n{str(e)}"
+        return f"⚠️ Error: {str(e)}"
 
 
-def load_example(example_name: str) -> str:
-    """Load example connection data."""
-    return EXAMPLES.get(example_name, "")
+# UI
+with gr.Blocks(title="C2Sentinel", theme=gr.themes.Soft(), css="""
+    .container { max-width: 900px; margin: auto; }
+    footer { display: none !important; }
+""") as demo:
 
+    gr.Markdown("# 🛡️ C2Sentinel\nDetect C2 beacon patterns in network logs")
 
-# Build interface
-with gr.Blocks(title="C2Sentinel", theme=gr.themes.Soft()) as demo:
-    gr.Markdown("""
-# C2Sentinel - C2 Beacon Detection
-
-Analyze network connections for Command and Control beacon activity.
+    with gr.Row():
+        with gr.Column(scale=3):
+            file_input = gr.File(label="Upload Log File", file_types=[".json", ".log", ".txt", ".csv", ".evtx"], type="binary")
+            text_input = gr.Textbox(label="Or Paste Log Data", lines=6, placeholder="JSON, syslog, Zeek, CSV, Windows events...")
+            example_select = gr.Radio(choices=list(EXAMPLES.keys()), label="Or Use Example", value=None)
 
-[Model](https://huggingface.co/danielostrow/c2sentinel) | [Docs](https://huggingface.co/danielostrow/c2sentinel/blob/main/API_REFERENCE.md) | [neuralintellect.com](https://neuralintellect.com)
-    """)
+        with gr.Column(scale=2):
+            threshold = gr.Slider(0.3, 0.8, 0.5, step=0.1, label="Sensitivity", info="Lower = more alerts")
+            whitelist = gr.Textbox(label="Whitelist IPs", placeholder="8.8.8.8, 1.1.1.1", lines=1)
+            blacklist = gr.Textbox(label="Blacklist IPs", placeholder="10.10.10.10", lines=1)
+            btn = gr.Button("Analyze", variant="primary", size="lg")
 
-    with gr.Row():
-        with gr.Column():
-            example_dropdown = gr.Dropdown(
-                choices=list(EXAMPLES.keys()),
-                value="-- Select Example --",
-                label="Load Example"
-            )
-
-            connection_input = gr.Textbox(
-                label="Connection Data (JSON)",
-                placeholder='[{"timestamp": 1000000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}, ...]',
-                lines=10
-            )
-
-            file_upload = gr.File(
-                label="Or Upload Log File",
-                file_types=[".json", ".log", ".txt"],
-                type="binary"
-            )
-
-            with gr.Row():
-                threshold = gr.Slider(
-                    minimum=0.1, maximum=0.9, value=0.5, step=0.1,
-                    label="Threshold (lower=sensitive)"
-                )
-                strict_mode = gr.Checkbox(label="Strict Mode", value=False)
-
-            with gr.Accordion("Whitelist / Blacklist", open=False):
-                whitelist_ips = gr.Textbox(
-                    label="Whitelist IPs (comma-separated)",
-                    placeholder="8.8.8.8, 1.1.1.1"
-                )
-                blacklist_ips = gr.Textbox(
-                    label="Blacklist IPs (comma-separated)",
-                    placeholder="10.10.10.10"
-                )
-
-            analyze_btn = gr.Button("Analyze", variant="primary")
-
-        with gr.Column():
-            result_output = gr.Markdown(label="Results")
-
-    # Event handlers
-    example_dropdown.change(
-        fn=load_example,
-        inputs=[example_dropdown],
-        outputs=[connection_input]
-    )
-
-    analyze_btn.click(
-        fn=analyze_connections,
-        inputs=[connection_input, file_upload, threshold, strict_mode, whitelist_ips, blacklist_ips],
-        outputs=[result_output]
-    )
+    output = gr.Markdown()
 
     gr.Markdown("""
 ---
-**Format:** `[{"timestamp": float, "dst_ip": "x.x.x.x", "dst_port": int, "bytes_sent": int, "bytes_recv": int}, ...]`
-
-Built on [LogBERT](https://arxiv.org/abs/2103.04475) | Author: Daniel Ostrow
+**Formats:** JSON, Zeek conn.log, syslog, Graylog, Windows Event, CSV
+**Docs:** [Model](https://huggingface.co/danielostrow/c2sentinel) · [API](https://huggingface.co/danielostrow/c2sentinel/blob/main/API_REFERENCE.md) · [neuralintellect.com](https://neuralintellect.com)
     """)
 
+    btn.click(analyze, [text_input, file_input, example_select, threshold, whitelist, blacklist], output)
+    example_select.change(lambda x: "", [example_select], [text_input])
 
 if __name__ == "__main__":
     demo.launch(server_name="0.0.0.0", server_port=7860)