---------------- Tool: AgentSonarAgentSonar is a network‑visibility tool that identifies likely LLM/AI agent traffic by correlating process ownership of sockets with contacted domains and applying a heuristic classifier that outputs an AI score between 0 and 1. SummaryAgentSonar records outbound connections, associates them with processes via socket ownership, extracts domain indicators from TLS SNI and DNS, and produces scored events for each process→domain pair. Known agents can be defined to produce deterministic matches; domains marked as noise are excluded from scoring. How it works (conceptual)• Socket correlation: associates OS socket ownership with userland processes to reveal which binary initiated a connection.• Domain extraction: uses TLS SNI and DNS observations as the domain identifier for each outbound flow.• Heuristic classifier: analyzes traffic shape characteristics — byte/packet asymmetry, prevalence of small packets, long‑lived or streaming connections, and programmatic TLS patterns — to infer whether a flow resembles LLM API traffic.• Scoring model: emits an AI-likelihood score between 0 and 1 per process→domain pair; known agents map to score 1.0, noise maps to 0. Capabilities and workflowsAgentSonar provides persistent event storage and a triage-oriented workflow for reviewing high‑scoring unknowns and labeling them as agents or noise. It supports importing pre-built event streams for classification and encourages community submissions of agent classifications to improve coverage. Limitations and scopeThe approach relies on observable network metadata (socket ownership, SNI, DNS) and traffic-shape heuristics; encrypted payloads and obfuscated patterns remain outside content-level analysis. Deterministic detection depends on maintained known-agent mappings; heuristic scoring produces probabilistic indicators rather than definitive attribution. Practical contextAgentSonar targets defenders seeking endpoint-to-domain visibility with AI‑specific signal enrichment, enabling detection of shadow AI usage where traditional allowlists may miss programmatic LLM traffic. agentsonar #llm_detection #network_visibility #knostic Source: https://github.com/knostic/AgentSonar/
