Bro Hunter

Zeek + Suricata Threat Hunting Platform

Status: Active Development Origin: Portfolio Project Since: 2026.02

React 18TypeScriptFastAPIPythonTanStack QueryRechartsTailwind CSSVitePydantic

Open Source

Full-stack threat hunting platform on GitHub

View Repository Live Demo README Star on GitHub

430+Files

25K+Frontend LOC

21K+Backend LOC

59+Commits

30+API Routers

50+Components

Overview

Bro Hunter is a full-stack threat hunting platform that ingests Zeek network metadata and Suricata IDS alerts, applies explainable threat scoring with MITRE ATT&CK mapping, and provides SOC analysts with an interactive investigation workflow. Every detection includes a human-readable explanation of why it scored the way it did.

The platform operates in two modes: offline demo mode (bundled log files for portfolio demonstrations) and live operations mode (real-time ingest from production Zeek/Suricata sensors with incremental event streaming to the dashboard).

Architecture

DATA SOURCES

Zeek Network Metadata Connection logs, DNS queries, HTTP headers, TLS certificates, file hashes

Suricata IDS/IPS Alerts EVE JSON alerts, signature matches, protocol anomalies

▼▼

Log Parsing + Normalization

ANALYSIS PIPELINE

Ingest Zeek/Suricata parsers

→

Threat Engine Unified scoring + ATT&CK

→

Enrichment MISP + Wazuh correlation

→

API Layer 30+ FastAPI routers

▼

REST + Live Event Stream

FRONTEND

SOC Dashboard Real-time threat overview, heatmaps, score gauges

Investigation Tools Session viewer, packet inspector, host deep dive

Case Management Evidence collection, annotations, hypothesis tracking

Analysis Engines

📡 Beacon Analyzer

Detects C2 beaconing patterns using interval regularity, jitter analysis, and payload consistency scoring

🔍 DNS Threat Engine

DGA entropy detection, tunneling analysis, fast-flux identification, and NXDOMAIN pattern matching

🌐 HTTP Analysis

User-agent anomaly detection, URI pattern analysis, header fingerprinting, and exfiltration indicators

🔐 TLS Intelligence

Certificate chain validation, JA3/JA3S fingerprinting, expired cert detection, self-signed identification

↔️ Lateral Movement

Internal scan detection, port sweep analysis, east-west traffic anomalies, credential abuse patterns

🔗 Session Reconstructor

Full connection timeline reconstruction with packet-level detail and flow correlation

SOC Integrations

Bro Hunter integrates with the broader SOC stack, exporting findings to case management platforms and enriching detections against threat intelligence feeds.

TheHive Case Export

Export threat findings as TheHive cases with observables, TLP marking, and severity mapping

Wazuh IOC Correlation

Cross-reference detected IOCs against Wazuh agent alerts for host-level correlation

MISP Enrichment

Enrich IPs, domains, and hashes against MISP threat intelligence feeds

Webhooks Notifications

Configurable webhook delivery for alerts, with history tracking and test capability

API Surface

The FastAPI backend exposes 30+ routers covering the full threat hunting workflow. All endpoints include auto-generated OpenAPI documentation.

Core Analysis

logsingesthuntdns_threatanalysissearch

Detection & Rules

rulessigmabaselineanomalieshosts

Investigation

caseshypothesesannotationssessionspackets

Protocol Analysis

tlshttp_analysislateralintel

Operations

live_opsintegrationswebhooksreportstrendsanalyticscapture

Technical Decisions

Decision Reasoning

FastAPI over Flask Async by default, Pydantic validation, auto-generated OpenAPI docs. Essential for concurrent log processing.

React 18 + TanStack Query Server state management with automatic cache invalidation. Live refresh without manual polling logic.

Recharts over D3 React-native charting with less boilerplate. D3 is overkill for dashboard charts.

5 theme variants Built during design phase to find the right SOC aesthetic. V3 (professional light) became the primary.

Offline-first demo mode Loads bundled log files so the platform works without a live network. Critical for portfolio demos.

xhtml2pdf for reports Server-side PDF generation from HTML templates. No browser dependency for report export.

Sigma rule import Industry standard detection format. Import existing community rules instead of writing from scratch.

Development Timeline

Phase 1 Core Platform ✓ completed

Zeek/Suricata ingestThreat scoring engineBeacon detectionDNS analysis5 UI theme variants

Phase 2 SOC Dashboard ✓ completed

Professional dashboardLight/dark themesMobile responsiveDemo data mode

Phase 3 Forensics & Cases ✓ completed

Case managementAnalyst annotationsHunt hypothesesEvidence timeline

Phase 4 Detection Rules ✓ completed

Custom rule builderSigma importRule testingBaseline management

Phase 5 Reporting & Workflow ✓ completed

PDF/HTML/JSON reportsReport historyAnalyst workflow wizardHost ranking + deep dive

Phase 6 Detection Depth ✓ completed

HTTP analysisTLS intelligenceLateral movementTrend tracking

Phase 7 Integrations ✓ completed

TheHive case exportWazuh IOC correlationMISP enrichmentWebhook management

Phase 8 Live Operations ✓ completed

Live Zeek ingestLive Suricata ingestIncremental event feedDashboard auto-refresh

Phase 9 Agent Integration ○ pending

MCP server wrapperLive Zeek tailingMulti-sensor supportCollaborative workflows

Live Demo → GitHub Repository → ← All Projects