Skip to content
An analytical framework for network traffic and behavioral analytics
Branch: master
Clone or download
tbennett6421 and austin-taylor added a check for self.auth_user and self.auth_password (#34)
onfailure we define self.auth to be None

preceding connection constructs the ES() class based on the results of the check
Latest commit 8c005be Apr 2, 2019

Flare is a network analytic framework designed for data scientists, security researchers, and network professionals. Written in Python, it is designed for rapid prototyping and development of behavioral analytics, and intended to make identifying malicious behavior in networks as simple as possible.

Getting Started

Currently supports python 2.7 and python 3

sudo pip install -r requirements.txt
python install

Core Features

  • Command and Control Analytics
    • Identify Beaconing in your environment (works with Suricata output and ElasticSearch)
  • Feature Extraction
    • Helper utility functions to filter out the noise.
  • Alexa, Umbrella, and Majestic Million (coming soon)
  • WHOIS IP Lookup
  • Pre-build machine learning classifiers
  • So much more...



Designed for elasticsearch and Suricata, elasticBeacon will connect to your elasticsearch server, retrieve all IP addresses and identify periodic activity.

You may need to forward port 9200 to your localhost with ssh -NfL 9200:localhost:9200 user@x.x.x.x

from import elasticBeacon

eb = elasticBeacon(es_host='localhost')
beacons = eb.find_beacons(group=True, focus_outbound=True)

Also available in commandline:

flare_beacon --whois --focus_outbound -mo=100 --csv_out=beacon_results.csv

flare_beacon --group --whois --focus_outbound -c configs/elasticsearch.ini -html beacons.html

flare_beacon --whois --focus_outbound -c /opt/flare-master/configs/selks4.ini -json beacon.json -v

Full writeup here

Domain Features


from import Alexa
alexa = Alexa(limit=1000000)

print alexa.domain_in_alexa('') # Returns True
print alexa.subdomain_in_alexa('www') # Returns True

print alexa.DOMAINS_TOP1M #Displays domains (in this case top 100)

IP Utilities

from import WhoisLookup

whois = WhoisLookup()

OUT: 'GOOGLE - Google Inc., US'

from import hex_to_ip, ip_to_hex

ip_to_hex(''), hex_to_ip('08080808')

OUT: (u'08080808', '')
  • Convert Hex to IP and vice/versa
  • Check for Private, Multicast, or Reserved domains
  • Identify the owner of a public IP address

Data Science Features

from flare.data_science.features import dga_classifier

dga_c = dga_classifier()

print dga_c.predict('facebook')

print dga_c.predict('39al31ak3')
from flare.data_science.features import entropy
from flare.data_science.features import ip_matcher
from flare.data_science.features import domain_extract
from flare.data_science.features import levenshtein
from flare.data_science.features import domain_tld_extract

# Entropy example
print entropy('akd93ka8a91a')

# IP Matcher Example
print ip_matcher('')

print ip_matcher('39.993.9.1')

# Domain Extract Example

# Domain TLD Extract

# Levenshtein example
a = ['']
b = ['']
print levenshtein(a, b)
'Difference of:' 1

and many more features for data extraction...

You can’t perform that action at this time.