{"id":13453662,"url":"https://github.com/austin-taylor/flare","last_synced_at":"2025-04-05T21:07:41.117Z","repository":{"id":20214177,"uuid":"73332164","full_name":"austin-taylor/flare","owner":"austin-taylor","description":"An analytical framework for network traffic and behavioral analytics","archived":false,"fork":false,"pushed_at":"2022-12-07T23:39:04.000Z","size":57992,"stargazers_count":450,"open_issues_count":3,"forks_count":86,"subscribers_count":38,"default_branch":"master","last_synced_at":"2025-03-29T19:08:43.422Z","etag":null,"topics":["analytics","cybersecurity","domains","elasticsearch","network-analysis","python"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/austin-taylor.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-11-10T00:14:39.000Z","updated_at":"2025-03-14T05:50:28.000Z","dependencies_parsed_at":"2023-01-12T03:30:19.194Z","dependency_job_id":null,"html_url":"https://github.com/austin-taylor/flare","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/austin-taylor%2Fflare","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/austin-taylor%2Fflare/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/austin-taylor%2Fflare/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/austin-taylor%2Fflare/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/austin-taylor","download_url":"https://codeload.github.com/austin-taylor/flare/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247399877,"owners_count":20932876,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["analytics","cybersecurity","domains","elasticsearch","network-analysis","python"],"created_at":"2024-07-31T08:00:45.189Z","updated_at":"2025-04-05T21:07:41.098Z","avatar_url":"https://github.com/austin-taylor.png","language":"Python","funding_links":[],"categories":["Threat Detection and Hunting"],"sub_categories":["Tools"],"readme":"\n\u003cp align=\"center\" style=\"width:400px\"\u003e\u003cimg src=\"https://github.com/austin-taylor/flare/blob/master/docs/source/logo.png\" style=\"width:400px\"\u003e\u003c/p\u003e\n\n---\n\nFlare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in Python, it is designed for rapid prototyping and development of behavioral analytics, and intended to make identifying malicious behavior in networks as simple as possible.\n\nGetting Started\n---------------\n\nCurrently supports python 2.7 and python 3\n\n```python\nsudo pip install -r requirements.txt\npython setup.py install\n```\n\nFirst Use\n------------\n\nOnce **Flare** is installed you may use it via the command line by calling **flare_beacon**. You can use command line parameters or call a configuration file (recommended). See the configs directory for sample configuration files.\n\nExample command below:\n\n```bash\nflare_beacon -c /path/to/flare/config/elasticsearch.ini --focus_outbound --whois flare_beacon -json /tmp/flare.json\n```\n\nCore Features\n-------------\n####\n*   Command and Control Analytics\n    *   Identify Beaconing in your environment (works with Suricata output and ElasticSearch)\n*   Feature Extraction\n    *   Helper utility functions to filter out the noise.\n*   Alexa, Umbrella, and Majestic Million (coming soon)\n*   WHOIS IP Lookup\n*   Pre-build machine learning classifiers\n*   So much more...\n\n\nAnalytics\n=========\n\nBeaconing\n---------\nDesigned for elasticsearch and Suricata, elasticBeacon will connect to your elasticsearch server, retrieve all IP addresses and identify periodic activity.\n\nYou may need to forward port 9200 to your localhost with **ssh -NfL 9200:localhost:9200 user@x.x.x.x**\n\n```python\nfrom flare.analytics.command_control import elasticBeacon\n\neb = elasticBeacon(es_host='localhost')\nbeacons = eb.find_beacons(group=True, focus_outbound=True)\n```\n\nAlso available in commandline:\n\n```bash\nCSV OUTPUT\nflare_beacon --whois --focus_outbound -mo=100 --csv_out=beacon_results.csv\n\nHTML OUTPUT\nflare_beacon --group --whois --focus_outbound -c configs/elasticsearch.ini -html beacons.html\n\nJSON OUTPUT (for SIEM)\nflare_beacon --whois --focus_outbound -c /opt/flare-master/configs/selks4.ini -json beacon.json -v\n\n```\n\nFull writeup [here](http://www.austintaylor.io/detect/beaconing/intrusion/detection/system/command/control/flare/elastic/stack/2017/06/10/detect-beaconing-with-flare-elasticsearch-and-intrusion-detection-systems/)\n\nDomain Features\n===============\n\n\nAlexa\n-----\n```python\nfrom flare.tools.alexa import Alexa\nalexa = Alexa(limit=1000000)\n\nprint alexa.domain_in_alexa('google.com') # Returns True\nprint alexa.subdomain_in_alexa('www') # Returns True\n\nprint alexa.DOMAINS_TOP1M #Displays domains (in this case top 100)\n```\n\nIP Utilities\n------------\n```python\n\nfrom flare.tools.whoisip import WhoisLookup\n\nwhois = WhoisLookup()\nwhois.get_name_by_ip('8.8.8.8')\n\nOUT: 'GOOGLE - Google Inc., US'\n\nfrom flare.tools.iputils import hex_to_ip, ip_to_hex\n\nip_to_hex('8.8.8.8'), hex_to_ip('08080808')\n\nOUT: (u'08080808', '8.8.8.8')\n\n```\n*   Convert Hex to IP and vice/versa\n*   Check for Private, Multicast, or Reserved domains\n*   Identify the owner of a public IP address\n\nData Science Features\n---------------------\n```python\nfrom flare.data_science.features import dga_classifier\n\ndga_c = dga_classifier()\n\nprint dga_c.predict('facebook')\nLegit\n\nprint dga_c.predict('39al31ak3')\ndga\n```\n\n\n```python\nfrom flare.data_science.features import entropy\nfrom flare.data_science.features import ip_matcher\nfrom flare.data_science.features import domain_extract\nfrom flare.data_science.features import levenshtein\nfrom flare.data_science.features import domain_tld_extract\n\n# Entropy example\nprint entropy('akd93ka8a91a')\n2.58496250072\n\n# IP Matcher Example\nprint ip_matcher('8.8.8.8')\nTrue\n\nprint ip_matcher('39.993.9.1')\nFalse\n\n# Domain Extract Example\ndomain_extract('longsubdomain.huntoperator.com')\n'huntoperator'\n\n# Domain TLD Extract\ndomain_tld_extract('longsubdomain.huntoperator.com')\n'huntoperator.com'\n\n# Levenshtein example\na = ['google.com']\nb = ['googl3.com']\nprint levenshtein(a, b)\n'Difference of:' 1\n\n```\n\nand many more features for data extraction...\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faustin-taylor%2Fflare","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Faustin-taylor%2Fflare","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Faustin-taylor%2Fflare/lists"}