VERVET v0.1

See the threats hiding in your logs.

Vervet reads your Zeek and Suricata logs and tells you which hosts are compromised and why. Beacons, DNS tunneling, lateral movement, scored per host with the evidence chain and the MITRE ATT&CK techniques behind it.

See the quickstart View on GitHub

Open source. Apache-2.0. Runs on your hardware. Reads your logs, never touches your network.

vervet :: analysis :: host 192.0.2.31
$ vervet analyze ./logs (zeek + suricata) loaded 2,534 conns · 25 dns · 6 alerts HOST 192.0.2.31 HIGH score 87 - beacon -> 203.0.113.50:443 interval 60.0s jitter 1.2% 120 callbacks - dns tunneling base32 subdomains entropy 4.1 mitre T1071.001 Web Protocols · T1071.004 DNS why regular fixed-interval C2 callbacks; high-entropy DNS used as a covert channel

How it works

Ingest. Detect. Explain.

01 / INGEST

Logs you already collect

Point Vervet at a directory of Zeek logs (conn, dns, http, ssl) and Suricata eve.json. It parses both into one model. Nothing is captured live; nothing is sent to your devices.

02 / DETECT

Purpose-built engines

Beaconing, DNS tunneling and DGA, fast-flux, lateral movement, long-lived connections, and Suricata alerts, each scored and folded into one per-host risk number.

03 / EXPLAIN

Evidence, not a black box

Every flagged host comes with the reasoning chain that produced its score and the MITRE ATT&CK techniques it maps to. Promote to a case, export IOCs, push to TheHive.

What it finds

Detection built for hunters.

Beaconing / C2

Periodic callbacks scored by interval regularity, jitter, and data-size consistency. The signature hunt RITA and AC-Hunter are known for, on Zeek and Suricata.

DNS threats

Tunneling by subdomain entropy and oversized records, DGA domains by lexical analysis, and fast-flux infrastructure rotating through IPs.

Lateral movement

Internal-to-internal connection patterns that suggest an attacker pivoting deeper into the network after the initial foothold.

Explainable scoring

One deterministic 0-100 risk score per host with the exact signals that raised it. No opaque model, no "trust us", you can read every point.

MITRE ATT&CK

Every detection maps to techniques and tactics, consolidated per host, so you can speak the same language as the rest of your SOC.

Case workflow

Promote findings to cases, export IOCs, and push to TheHive, correlate against Wazuh, or enrich from MISP. A web UI and a REST API, in one container.

Inputs

Speaks both sensors.

Zeek conn.log Zeek dns.log Zeek http / ssl / x509 Zeek notice.log Suricata eve.json Suricata alerts

Works offline on archived logs. No live tap, no agent on the sensor, no streaming pipeline required.

Different threats deserve different alarms.

The vervet monkey is famous for one thing: it gives a different alarm call for an eagle, a snake, and a leopard, so the troop knows exactly what is coming and how to react. Most log tooling gives you one undifferentiated stream of noise.

Vervet classifies what it finds, a beacon is not a DGA is not lateral movement, scores it, and tells you the technique behind it. And it earns trust the way a good sensor should: it reads the logs you already have and never touches your network.

Quickstart

One command to a populated dashboard.

$ git clone https://github.com/solomonneas/vervet.git
$ cd vervet && docker compose up -d --build
# open http://localhost:8000  - demo data is seeded on startup

# point it at your own logs instead:
$ docker compose run --rm -e VERVET_DEMO_MODE=false -v /var/log/zeek:/logs:ro vervet

Apache-2.0. Source, demo, and issues on GitHub.