Detecting LLM API Calls: A Zeek Odyssey

Question

Hi HN,I'm working on a script to detect LLM traffic.It works well for programmatic access (e.g., Python, JavaScript, etc.) but doesn't capture any traffic from browsers.Do you have any idea what might be causing this issue?https://github.com/aguru-safeguard/zeek-llms/blob/main/llm_traffic_monitor.zeek

derekoc · Accepted Answer

LLM API requests made via browsers may have different HTTP headers, user-agent strings, or timing patterns than requests made programmatically via Python, JavaScript, etc. You might want to investigate if browser requests include headers that are not present in programmatic requests and adjust your detection rules accordingly.