Bro Hunter: Network Threat Hunting Platform

[+] Status: Complete [+] Origin: Portfolio Project [+] Date: 2026.01
>> TECH_STACK:
[React][TypeScript][Tailwind CSS][Zustand][Vite]

Bro Hunter is a network threat hunting platform built for analyzing Zeek and Suricata log pipelines. It gives analysts a focused workspace to detect stealthy command-and-control activity, investigate suspicious DNS behavior, and pivot from detection output into raw telemetry. Core workflows combine statistical beaconing analytics, entropy-driven DNS anomaly checks, and MITRE ATT&CK technique mapping.

The platform is designed for practical SOC hunting, not static reporting. Analysts can run guided hunt playbooks, inspect parsed conn.log and dns.log records in a searchable log viewer, and correlate findings across multiple detections before triage. This approach improves detection depth for behaviors that often evade pure signature coverage, including low-and-slow HTTPS beaconing and DGA-driven DNS infrastructure.

Open Source

Threat hunting platform for Zeek and Suricata log analysis

Threat hunting frontend focused on detection workflows, telemetry analysis, and analyst usability:

React + TypeScript
Component Framework

Component architecture with type-safe log parsing and analysis models for Zeek and Suricata telemetry

Zustand
State Management

Lightweight state management for hunt sessions, filter state, playbook progress, and analysis results

Tailwind CSS
Styling

Dark-first SOC-appropriate design with status color semantics and data-dense layouts for analyst workflows

Vite
Build Tooling

Fast hot module replacement for iterative development of complex detection interfaces and data visualization components

Detection Algorithm Statistical Beaconing Detection
Problem: Signature-based IDS cannot detect C2 beacons that use legitimate protocols and vary their timing slightly
Solution: Built a statistical analyzer that processes Zeek conn.log entries, groups connections by destination, calculates interval consistency scores and jitter metrics. Connections with high regularity scores and low jitter relative to mean interval get flagged as potential beacons
Result: Catches C2 callbacks that Suricata signatures miss entirely, especially encrypted beacons over HTTPS
Analysis DGA Domain Detection via Entropy Scoring
Problem: Domain Generation Algorithms produce random-looking domains that bypass static blocklists. Analysts cannot manually review thousands of DNS queries
Solution: Calculates Shannon entropy for each queried domain name. High-entropy names above 3.5 bits per character with no matching Alexa or Tranco top-1M entry get flagged. Combined with subdomain length analysis to catch DNS tunneling payloads
Result: Automated detection of algorithmically generated domains reduces analyst review time from hours to seconds
Workflow Guided Hunt Playbooks
Problem: Junior analysts lack the experience to know which log fields to examine and in what order when investigating network anomalies
Solution: Created step-by-step playbooks that chain analysis tools together. The Find C2 Beacons playbook runs beaconing detection, cross-references flagged IPs against threat intelligence, checks for matching Suricata alerts, and generates a summary report
Result: Standardizes threat hunting methodology across skill levels while teaching analysts the investigation logic
Threat Hunting
  • Beaconing detection
  • C2 identification
  • DNS analysis
  • Log correlation
Network Analysis
  • Zeek log parsing
  • Protocol metadata
  • Connection patterns
  • Traffic baselines
Detection Engineering
  • Statistical analysis
  • Entropy scoring
  • Jitter calculation
  • Threshold tuning
MITRE ATT&CK
  • Technique mapping
  • Tactic classification
  • Detection coverage
  • Gap analysis
Complete
  • Statistical C2 beaconing detection on Zeek conn.log
  • DNS anomaly analysis with entropy and tunneling indicators
  • MITRE ATT&CK technique mapping for hunt findings
  • Searchable log viewer for Zeek and Suricata telemetry
  • Guided hunt playbooks for repeatable investigations
  • SOC-focused UI built with React, TypeScript, and Tailwind CSS