Flare是一个网络流量和行为分析的分析框架

Flare是一个网络流量和行为分析的分析框架

Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in Python, it is designed for rapid prototyping and development of behavioral analytics, and intended to make identifying malicious behavior in networks as simple as possible.

Getting Started

Currently supports python 2.7 and python 3

sudo pip install -r requirements.txtpython setup.py install

First Use

Once Flare is installed you may use it via the command line by calling flare_beacon. You can use command line parameters or call a configuration file (recommended). See the configs directory for sample configuration files.

Example command below:

flare_beacon -c /path/to/flare/config/elasticsearch.ini --focus_outbound --whois flare_beacon -json /tmp/flare.json

Core Features

Command and Control Analytics Identify Beaconing in your environment (works with Suricata output and ElasticSearch) Feature Extraction Helper utility functions to filter out the noise. Alexa, Umbrella, and Majestic Million (coming soon)WHOIS IP LookupPre-build machine learning classifiersSo much more...

Analytics

Beaconing

Designed for elasticsearch and Suricata, elasticBeacon will connect to your elasticsearch server, retrieve all IP addresses and identify periodic activity.

You may need to forward port 9200 to your localhost with ssh -NfL 9200:localhost:9200 user@x.x.x.x

from flare.analytics.command_control import elasticBeaconeb = elasticBeacon(es_host='localhost')beacons = eb.find_beacons(group=True, focus_outbound=True)

Also available in commandline:

CSV OUTPUTflare_beacon --whois --focus_outbound -mo=100 --csv_out=beacon_results.csvHTML OUTPUTflare_beacon --group --whois --focus_outbound -c configs/elasticsearch.ini -html beacons.htmlJSON OUTPUT (for SIEM)flare_beacon --whois --focus_outbound -c /opt/flare-master/configs/selks4.ini -json beacon.json -v

Full writeup here

Domain Features

Alexa

from flare.tools.alexa import Alexaalexa = Alexa(limit=1000000)print alexa.domain_in_alexa('google.com') # Returns Trueprint alexa.subdomain_in_alexa('www') # Returns Trueprint alexa.DOMAINS_TOP1M #Displays domains (in this case top 100)

IP Utilities

from flare.tools.whoisip import WhoisLookupwhois = WhoisLookup()whois.get_name_by_ip('8.8.8.8')OUT: 'GOOGLE - Google Inc., US'from flare.tools.iputils import hex_to_ip, ip_to_hexip_to_hex('8.8.8.8'), hex_to_ip('08080808')OUT: (u'08080808', '8.8.8.8')

Convert Hex to IP and vice/versaCheck for Private, Multicast, or Reserved domainsIdentify the owner of a public IP address

Data Science Features

from flare.data_science.features import dga_classifierdga_c = dga_classifier()print dga_c.predict('facebook')Legitprint dga_c.predict('39al31ak3')dga

from flare.data_science.features import entropyfrom flare.data_science.features import ip_matcherfrom flare.data_science.features import domain_extractfrom flare.data_science.features import levenshteinfrom flare.data_science.features import domain_tld_extract# Entropy exampleprint entropy('akd93ka8a91a')2.58496250072# IP Matcher Exampleprint ip_matcher('8.8.8.8')Trueprint ip_matcher('39.993.9.1')False# Domain Extract Exampledomain_extract('longsubdomain.huntoperator.com')'huntoperator'# Domain TLD Extractdomain_tld_extract('longsubdomain.huntoperator.com')'huntoperator.com'# Levenshtein examplea = ['google.com']b = ['googl3.com']print levenshtein(a, b)'Difference of:' 1

and many more features for data extraction...

版权声明：本文内容由网络用户投稿，版权归原作者所有，本站不拥有其著作权，亦不承担相应法律责任。如果您发现本站中有涉嫌抄袭或描述失实的内容，请联系我们jiasou666@gmail.com 处理，核实后本网站将在24小时内删除侵权内容。