OpenSec Atlas

flare: An Open Source Framework for Network Security | OpenSec Atlas

Network Security

Framework

flare

Flare is a Python-based analytical framework designed to detect malicious network behavior through traffic and behavioral analytics.

View on GitHub

About This Tool

An analytical framework for network traffic and behavioral analytics

Primary Use Case

Flare is primarily used by data scientists, security researchers, and network professionals to monitor network traffic, detect intrusion attempts, and hunt for threats by identifying patterns such as beaconing and command and control activity. It simplifies the process of behavioral analytics and integrates with tools like Suricata and Elasticsearch for enhanced network security monitoring.

Key Features

Command and Control Analytics to identify beaconing activity
Integration with Suricata and Elasticsearch for data ingestion
Feature extraction utilities to filter noise from network data
WHOIS IP lookup for identifying IP ownership
Pre-built machine learning classifiers for threat detection
Support for Alexa domain data and domain/IP utilities
Data science features including entropy calculation and domain extraction
Multiple output formats including CSV, HTML, and JSON for SIEM integration

Insights & Recommendations

Flare requires Python 2.7 or 3 and integration with Elasticsearch and/or Suricata for full functionality. Users should forward port 9200 for Elasticsearch access if remote. Using configuration files for command line execution is recommended for ease of use and reproducibility.

Installation

Ensure Python 2.7 or Python 3 is installed
Run sudo pip install -r requirements.txt to install dependencies
Run python setup.py install to install Flare

Usage

flare_beacon -c /path/to/flare/config/elasticsearch.ini --focus_outbound --whois flare_beacon -json /tmp/flare.json

Run Flare beaconing detection using a configuration file with outbound focus and WHOIS lookup, outputting results in JSON format.

flare_beacon --whois --focus_outbound -mo=100 --csv_out=beacon_results.csv

Generate beaconing detection results with WHOIS lookup and outbound focus, outputting as a CSV file.

flare_beacon --group --whois --focus_outbound -c configs/elasticsearch.ini -html beacons.html

Run grouped beaconing analysis with WHOIS and outbound focus, outputting results in an HTML report.

from flare.analytics.command_control import elasticBeacon eb = elasticBeacon(es_host='localhost') beacons = eb.find_beacons(group=True, focus_outbound=True)

Python code snippet to connect to Elasticsearch and identify periodic beaconing activity programmatically.

from flare.tools.alexa import Alexa alexa = Alexa(limit=1000000) print alexa.domain_in_alexa('google.com')

Check if a domain is in the Alexa top domains list.

from flare.tools.whoisip import WhoisLookup whois = WhoisLookup() whois.get_name_by_ip('8.8.8.8')

Perform WHOIS lookup to identify the owner of a public IP address.

from flare.data_science.features import dga_classifier dga_c = dga_classifier() print dga_c.predict('facebook')

Use a pre-built classifier to predict if a domain is legitimate or generated by a domain generation algorithm (DGA).

Smart Usage Notes

Integrate Flare with SIEM platforms via JSON output for enhanced threat correlation and alerting.Leverage pre-built machine learning classifiers to automate detection of beaconing and C2 patterns.Use Flare's WHOIS and domain utilities to enrich threat intelligence during incident investigations.Combine Flare analytics with Suricata IDS alerts to reduce false positives and improve detection accuracy.Incorporate Flare into purple team exercises to validate detection capabilities against simulated C2 beaconing.