NullSec FlowTrace

Network Flow Analyzer

A pure functional network flow analysis tool written in Haskell, demonstrating algebraic data types and monadic composition for security-focused traffic inspection.

🎯 Overview

NullSec FlowTrace analyzes network flow data to detect suspicious patterns, malicious connections, and data exfiltration attempts using Haskell's powerful type system and pattern matching capabilities.

✨ Features

• Flow Analysis - Deep inspection of NetFlow/IPFIX data
• Malicious IP Detection - Known threat intelligence matching
• Port Scanning Detection - Identify reconnaissance activity
• Data Exfiltration Alerts - Large transfer detection
• MITRE ATT&CK Mapping - Technique identification
• Protocol Classification - Automatic protocol detection

🔍 Detection Capabilities

Category	Description	MITRE
Malicious IP	Known C2/botnet connections	T1071
Suspicious Port	Backdoor/RAT ports	T1571
Data Exfiltration	Large outbound transfers	T1048
Port Scanning	SYN scan detection	T1046
IRC C2	IRC channel connections	T1071.001

📦 Installation

# Clone the repository
git clone https://github.com/bad-antics/nullsec-flowtrace
cd nullsec-flowtrace

# Compile with GHC
ghc -O2 FlowTrace.hs -o flowtrace

# Or run directly
runhaskell FlowTrace.hs

🚀 Usage

# Analyze flow data file
./flowtrace flows.nfcapd

# JSON output
./flowtrace -j flows.log

# Summary only
./flowtrace -s conn.log

# Run demo mode
./flowtrace

💻 Example Output

╔══════════════════════════════════════════════════════════════════╗
║            NullSec FlowTrace - Network Flow Analyzer             ║
╚══════════════════════════════════════════════════════════════════╝

[Demo Mode]

Analyzing sample network flows...

Processed 10 flows, found 8 alerts

  [Critical] Malicious IP
    Source: 192.168.1.100:45678
    Dest:   185.220.101.1:443
    Detail: Connection to known malicious IP: 185.220.101.1
    MITRE:  T1071

  [High] Suspicious Port
    Source: 10.0.0.50:12345
    Dest:   45.33.32.156:4444
    Detail: Connection to port 4444 (Metasploit default)
    MITRE:  T1571

  [High] Data Exfiltration
    Source: 192.168.100.5:50000
    Dest:   1.2.3.4:31337
    Detail: Large data transfer: 150000000 bytes
    MITRE:  T1048

═══════════════════════════════════════════

  Summary:
    Total Flows:   10
    Total Bytes:   152006564
    Total Packets: 58751
    Alerts:        8

  Top Protocols:
    • TCP: 6 flows
    • HTTPS: 2 flows
    • DNS: 1 flow
    • ICMP: 1 flow

🏗️ Architecture

┌─────────────────────────────────────────────────────────┐
│                    Flow Parser                          │
│  NetFlow v5/v9 | IPFIX | Zeek | Argus                  │
└─────────────────────────────────────────────────────────┘
                          │
                          ▼
┌─────────────────────────────────────────────────────────┐
│               Flow Data Structure                       │
│  Flow { srcIP, dstIP, srcPort, dstPort, protocol, ... }│
└─────────────────────────────────────────────────────────┘
                          │
          ┌───────────────┼───────────────┐
          ▼               ▼               ▼
    ┌──────────┐   ┌──────────┐   ┌──────────┐
    │ IP Check │   │Port Check│   │ Volume   │
    │Malicious │   │Suspicious│   │ Check    │
    └──────────┘   └──────────┘   └──────────┘
          │               │               │
          └───────────────┼───────────────┘
                          ▼
                  ┌──────────────┐
                  │FlowAnalysis  │
                  │  Result List │
                  └──────────────┘

λ Haskell Features Demonstrated

• Algebraic Data Types - Flow, FlowAnalysis, Severity, Protocol
• Pattern Matching - Exhaustive case analysis
• List Comprehensions - Functional filtering and mapping
• Higher-Order Functions - map, filter, sortBy, groupBy
• Type Classes - Show, Eq, Ord instances
• Maybe Monad - Optional MITRE mappings
• Guards - Multi-way conditionals
• Where Clauses - Local definitions

🔧 Data Types

-- Flow record
data Flow = Flow
    { flowSrcIP    :: IPAddress
    , flowDstIP    :: IPAddress
    , flowSrcPort  :: Int
    , flowDstPort  :: Int
    , flowProtocol :: Protocol
    , flowBytes    :: Int
    , flowPackets  :: Int
    , flowDuration :: Float
    , flowFlags    :: [String]
    }

-- Analysis result
data FlowAnalysis = FlowAnalysis
    { analysisFlow     :: Flow
    , analysisSeverity :: Severity
    , analysisCategory :: String
    , analysisDetails  :: String
    , analysisMitre    :: Maybe String
    }

📊 Supported Formats

Format	Extension	Support
NetFlow v5	.nfcapd	✅
NetFlow v9	.nfcapd	✅
IPFIX	.ipfix	✅
Zeek conn.log	.log	✅
Argus	.arg	✅

🛡️ Security Use Cases

• Threat Hunting - Identify C2 beacons in flow data
• Incident Response - Trace lateral movement
• Network Forensics - Reconstruct attack timelines
• Compliance Monitoring - Detect policy violations
• Anomaly Detection - Find unusual patterns

⚠️ Legal Disclaimer

This tool is intended for:

• ✅ Authorized network monitoring
• ✅ Security operations centers
• ✅ Incident response teams
• ✅ Research and education

Only analyze network data you're authorized to inspect.

🔗 Links

• Portal: bad-antics.github.io
• Twitter: x.com/AnonAntics
• GitHub: github.com/bad-antics

📄 License

MIT License - See LICENSE file for details.

🏷️ Version History

• v1.0.0 - Initial release with flow analysis and threat detection

---

Part of the NullSec Security Toolkit