Instructions to use wagonbomb/sigmashift-suricata-v1 with libraries, inference providers, notebooks, and local apps. Follow these links to get started.

Libraries

How to use wagonbomb/sigmashift-suricata-v1 with llama-cpp-python:

# !pip install llama-cpp-python

from llama_cpp import Llama

llm = Llama.from_pretrained(
	repo_id="wagonbomb/sigmashift-suricata-v1",
	filename="sigmashift-suricata-v1-q4km.gguf",
)

llm.create_chat_completion(
	messages = [
		{
			"role": "user",
			"content": "What is the capital of France?"
		}
	]
)

Notebooks
Google Colab
Kaggle
Local Apps

llama.cpp

How to use wagonbomb/sigmashift-suricata-v1 with llama.cpp:

Install from brew

brew install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf wagonbomb/sigmashift-suricata-v1
# Run inference directly in the terminal:
llama-cli -hf wagonbomb/sigmashift-suricata-v1

Install from WinGet (Windows)

winget install llama.cpp
# Start a local OpenAI-compatible server with a web UI:
llama-server -hf wagonbomb/sigmashift-suricata-v1
# Run inference directly in the terminal:
llama-cli -hf wagonbomb/sigmashift-suricata-v1

Use pre-built binary

# Download pre-built binary from:
# https://github.com/ggerganov/llama.cpp/releases
# Start a local OpenAI-compatible server with a web UI:
./llama-server -hf wagonbomb/sigmashift-suricata-v1
# Run inference directly in the terminal:
./llama-cli -hf wagonbomb/sigmashift-suricata-v1

Build from source code

git clone https://github.com/ggerganov/llama.cpp.git
cd llama.cpp
cmake -B build
cmake --build build -j --target llama-server llama-cli
# Start a local OpenAI-compatible server with a web UI:
./build/bin/llama-server -hf wagonbomb/sigmashift-suricata-v1
# Run inference directly in the terminal:
./build/bin/llama-cli -hf wagonbomb/sigmashift-suricata-v1

Use Docker

docker model run hf.co/wagonbomb/sigmashift-suricata-v1

LM Studio
Jan

vLLM

How to use wagonbomb/sigmashift-suricata-v1 with vLLM:

Install from pip and serve model

# Install vLLM from pip:
pip install vllm
# Start the vLLM server:
vllm serve "wagonbomb/sigmashift-suricata-v1"
# Call the server using curl (OpenAI-compatible API):
curl -X POST "http://localhost:8000/v1/chat/completions" \
	-H "Content-Type: application/json" \
	--data '{
		"model": "wagonbomb/sigmashift-suricata-v1",
		"messages": [
			{
				"role": "user",
				"content": "What is the capital of France?"
			}
		]
	}'

Use Docker

docker model run hf.co/wagonbomb/sigmashift-suricata-v1

Ollama
How to use wagonbomb/sigmashift-suricata-v1 with Ollama:
```
ollama run hf.co/wagonbomb/sigmashift-suricata-v1
```

Unsloth Studio new

How to use wagonbomb/sigmashift-suricata-v1 with Unsloth Studio:

Install Unsloth Studio (macOS, Linux, WSL)

curl -fsSL https://unsloth.ai/install.sh | sh
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for wagonbomb/sigmashift-suricata-v1 to start chatting

Install Unsloth Studio (Windows)

irm https://unsloth.ai/install.ps1 | iex
# Run unsloth studio
unsloth studio -H 0.0.0.0 -p 8888
# Then open http://localhost:8888 in your browser
# Search for wagonbomb/sigmashift-suricata-v1 to start chatting

Using HuggingFace Spaces for Unsloth

# No setup required
# Open https://huggingface.co/spaces/unsloth/studio in your browser
# Search for wagonbomb/sigmashift-suricata-v1 to start chatting

Pi new

How to use wagonbomb/sigmashift-suricata-v1 with Pi:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf wagonbomb/sigmashift-suricata-v1

Configure the model in Pi

# Install Pi:
npm install -g @mariozechner/pi-coding-agent
# Add to ~/.pi/agent/models.json:
{
  "providers": {
    "llama-cpp": {
      "baseUrl": "http://localhost:8080/v1",
      "api": "openai-completions",
      "apiKey": "none",
      "models": [
        {
          "id": "wagonbomb/sigmashift-suricata-v1"
        }
      ]
    }
  }
}

Run Pi

# Start Pi in your project directory:
pi

Hermes Agent new

How to use wagonbomb/sigmashift-suricata-v1 with Hermes Agent:

Start the llama.cpp server

# Install llama.cpp:
brew install llama.cpp
# Start a local OpenAI-compatible server:
llama-server -hf wagonbomb/sigmashift-suricata-v1

Configure Hermes

# Install Hermes:
curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
hermes setup
# Point Hermes at the local server:
hermes config set model.provider custom
hermes config set model.base_url http://127.0.0.1:8080/v1
hermes config set model.default wagonbomb/sigmashift-suricata-v1

Run Hermes

hermes

Docker Model Runner
How to use wagonbomb/sigmashift-suricata-v1 with Docker Model Runner:
```
docker model run hf.co/wagonbomb/sigmashift-suricata-v1
```

Lemonade

How to use wagonbomb/sigmashift-suricata-v1 with Lemonade:

Pull the model

# Download Lemonade from https://lemonade-server.ai/
lemonade pull wagonbomb/sigmashift-suricata-v1

Run and chat with the model

lemonade run user.sigmashift-suricata-v1-{{QUANT_TAG}}

List all available models

lemonade list

SigmaShift Suricata Rule Generator v1

A fine-tuned Mistral-7B model that generates production-ready Suricata IDS rules and Zeek detection scripts from security findings (CVEs, vulnerability descriptions, threat intelligence).

Model Details

Parameter	Value
Base model	`mistralai/Mistral-7B-Instruct-v0.3`
Method	QLoRA (rank=64, alpha=128, NF4 quantization)
Training	3 epochs, 1266 steps, batch 4, lr 2e-4
Final train loss	0.106
Best eval loss	0.141 (checkpoint 1200)
Quantization	Q4_K_M (4.1GB) via llama.cpp

Evaluation

Tested on 20 held-out CVE test cases (not in training data):

Average score: 8.4/12
Suricata: 100% structurally valid rules
Zeek: Valid detection scripts with Notice framework integration

Scoring criteria: block presence (suricata/zeek/reasoning), valid action keyword, msg field, SID, classtype, rev, balanced parentheses, Notice redef, event handler.

Usage with Ollama

# Download the GGUF
# Create model from Modelfile.q4km (update the FROM path)
ollama create sigmashift-suricata:v1-q4km -f Modelfile.q4km

# Run
ollama run sigmashift-suricata:v1-q4km "Generate a Suricata rule for CVE-2021-44228 Log4Shell"

Output Format

The model outputs three tagged blocks:

<suricata>
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET EXPLOIT Apache Log4j RCE (CVE-2021-44228)"; ...)
</suricata>

<zeek>
@load base/frameworks/notice
redef enum Notice::Type += { Log4Shell_Attempt };
event http_message_done(c: connection, is_orig: bool) { ... }
</zeek>

<reasoning>
Detection approach explanation...
</reasoning>

Files

File	Description
`sigmashift-suricata-v1-q4km.gguf`	Q4_K_M quantized model (4.1GB)
`Modelfile` / `Modelfile.q4km`	Ollama model definitions with system prompt
`adapter/`	QLoRA adapter weights (for custom merging)
`eval_report.md`	Full 20-case evaluation report

Training Data

Built from:

Emerging Threats Open ruleset (~40k Suricata rules)
NVD API CVE descriptions joined to ET rules by CVE reference
MITRE ATT&CK technique descriptions joined by metadata tags

Part of SigmaShift

This model powers the offline/air-gapped rule generation mode in SigmaShift, a security analysis platform that converts vulnerability scan output into detection rules.

License

Apache 2.0

Downloads last month: 8

GGUF

Model size

7B params

Architecture

llama

Hardware compatibility

We're not able to determine the quantization variants.

View all variants

Model tree for wagonbomb/sigmashift-suricata-v1

Base model

mistralai/Mistral-7B-v0.3

Finetuned

mistralai/Mistral-7B-Instruct-v0.3

Quantized

(246)

this model