feat: improve Ollama LLM analyst for IoT vulnerability discovery

- Change default model to llama3.2:1b for faster responses
- Increase read timeout to 300s (connect stays 5s) to handle slow models
- Add explicit ReadTimeout handler with actionable error message
- Rewrite system prompt focused on IoT/embedded device analysis:
  plaintext protocols, credentials in clear, CVE patterns, firmware
  update mechanisms, beaconing and C2 indicators

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: CyberRoute

core/ollama_analyst.py

@@ -8,16 +8,19 @@
 from PySide6.QtCore import QThread, Signal  # pylint: disable=E0611
 
 OLLAMA_URL = "http://localhost:11434/api/generate"
-DEFAULT_MODEL = "deepseek-r1:1.5b"
+DEFAULT_MODEL = "llama3.2:1b"
 
-SYSTEM_PROMPT = """You are a network security analyst.
-You will be given a decoded network packet captured during a MITM session.
-Provide a concise analysis covering:
-- What protocol/service this traffic belongs to
-- What the two endpoints are doing
-- Any security-relevant observations (credentials, sensitive data, unusual behaviour)
-- A one-line risk assessment (Low / Medium / High)
-Keep the response short and factual. No preamble."""
+SYSTEM_PROMPT = """You are an IoT security researcher specialising in vulnerability discovery on embedded and smart devices.
+You will be given a decoded network packet captured during a MITM session against an IoT or specialised device.
+Analyse it and report concisely:
+- Device type / firmware fingerprint clues (banner, UA, protocol quirks)
+- Protocol and service in use — flag any plaintext, unencrypted, or legacy protocols (HTTP, Telnet, MQTT without TLS, CoAP, mDNS, UPnP, etc.)
+- Credentials, API keys, tokens, or sensitive data visible in the clear
+- Known CVE patterns or exploit primitives (default creds, unauthenticated endpoints, buffer-overflow indicators, command injection vectors)
+- Insecure update mechanisms or unverified firmware fetches
+- Unusual beaconing, C2 indicators, or data exfiltration patterns
+- One-line risk rating: Low / Medium / High / Critical — with a short justification
+Be specific and technical. No preamble. If nothing suspicious is found, say so briefly."""
 
 
 class OllamaThread(QThread):
@@ -54,7 +57,7 @@ def run(self):
         }
         try:
             with requests.post(
-                OLLAMA_URL, json=payload, stream=True, timeout=60
+                OLLAMA_URL, json=payload, stream=True, timeout=(5, 300)
             ) as resp:
                 resp.raise_for_status()
                 for line in resp.iter_lines():
@@ -67,6 +70,11 @@ def run(self):
                         break
         except requests.exceptions.ConnectionError:
             self.error.emit("Ollama not running — start it with: ollama serve")
+        except requests.exceptions.ReadTimeout:
+            self.error.emit(
+                f"Ollama timed out — model '{self.model}' is too slow or not loaded. "
+                "Try: ollama pull " + self.model
+            )
         except Exception as e:  # pylint: disable=broad-exception-caught
             self.error.emit(str(e))
         finally: