• Stars
    star
    2,500
  • Rank 18,372 (Top 0.4 %)
  • Language
    Go
  • License
    GNU General Publi...
  • Created about 8 years ago
  • Updated 5 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

RITA (Real Intelligence Threat Analytics)

RITA Logo

If you get value out of RITA and would like to go a step further with hunting automation, futuristic visualizations, and data encrichment take a look at AC-Hunter.

Sponsored by Active Countermeasures.


RITA is an open source framework for network traffic analysis.

The framework ingests Zeek Logs in TSV format, and currently supports the following major features:

  • Beaconing Detection: Search for signs of beaconing behavior in and out of your network
  • DNS Tunneling Detection Search for signs of DNS based covert channels
  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts

Install

Please see our recommended System Requirements document if you wish to use RITA in a production environment.

Automated Install

RITA provides an install script that works on Ubuntu 20.04 LTS, Debian 11, Security Onion, and CentOS 7.

Download the latest install.sh file here and make it executable: chmod +x ./install.sh

Then choose one of the following install methods:

  • sudo ./install.sh will install RITA as well as supported versions of Zeek and MongoDB. This is suitable if you want to get started as quickly as possible or you don't already have Zeek or MongoDB.

  • sudo ./install.sh --disable-zeek --disable-mongo will install RITA only, without Zeek or MongoDB. You may also use these flags individually.

Docker Install

See here.

Manual Installation

To install each component of RITA by manually see here.

Upgrading RITA

See this guide for upgrade instructions.

Getting Started

Configuration File

RITA's config file is located at /etc/rita/config.yaml though you can specify a custom path on individual commands with the -c command line flag.

  • The Filtering: InternalSubnets section must be configured or you will not see any results in certain modules (e.g. beacons, long connections). If your network uses the standard RFC1918 internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) you don't need to do anything as the default InternalSubnets section already has these. Otherwise, adjust this section to match your environment. RITA's main purpose is to find the signs of a compromised internal system talking to an external system and will automatically exclude internal to internal connections and external to external connections from parts of the analysis.

You may also wish to change the defaults for the following option:

  • Filtering: AlwaysInclude - Ranges listed here are exempt from the filtering applied by the InternalSubnets setting. The main use for this is to include internal DNS servers so that you can see the source of any DNS queries made.

Note that any value listed in the Filtering section should be in CIDR format. So a single IP of 192.168.1.1 would be written as 192.168.1.1/32.

Obtaining Data (Generating Zeek Logs)

  • Option 1: Generate PCAPs outside of Zeek

    • Generate PCAP files with a packet sniffer (tcpdump, wireshark, etc.)
    • (Optional) Merge multiple PCAP files into one PCAP file
      • mergecap -w outFile.pcap inFile1.pcap inFile2.pcap
    • Generate Zeek logs from the PCAP files
      • zeek -r pcap_to_log.pcap local "Log::default_rotation_interval = 1 day"
  • Option 2: Install Zeek and let it monitor an interface directly [instructions]

    • You may wish to compile Zeek from source for performance reasons. This script can help automate the process.

    • The automated installer for RITA installs pre-compiled Zeek binaries by default

      • Provide the --disable-zeek flag when running the installer if you intend to compile Zeek from source
    • To take advantage of the feature for monitoring long-running, open connections (default is 1 hour or more), you will need to install our zeek-open-connections plugin. We recommend installing the package with Zeek's package manager zkg. Newer versions of Zeek (4.0.0 or greater) will come bundled with zkg. If you do not have zkg installed, you can manually install it. Once you have zkg installed, run the following commands to install the package

      • zkg refresh
      • zkg install zeek/activecm/zeek-open-connections

      Next, edit your site/local.zeek file so that it contains the following line

      • @load packages

      Finally, run the following

      • zeekctl deploy

Importing and Analyzing Data With RITA

After installing RITA, setting up the InternalSubnets section of the config file, and collecting some Zeek logs, you are ready to begin hunting.

RITA can process TSV, JSON, and JSON streaming Zeek log file formats. These logs can be either plaintext or gzip compressed.

One-Off Datasets

This is the simplest usage and is great for analyzing a collection of Zeek logs in a single directory. If you expect to have more logs to add to the same analysis later see the next section on Rolling Datasets.

rita import path/to/your/zeek_logs dataset_name

Every log file in the supplied directory will be imported into a dataset with the given name. However, files in nested directories will not be processed.

Note: Rita is designed to analyze 24hr blocks of logs. Rita versions newer than 4.5.1 will analyze only the most recent 24 hours of data supplied.

Rolling Datasets

Rolling datasets allow you to progressively analyze log data over a period of time as it comes in.

rita import --rolling /path/to/your/zeek_logs dataset_name

You can make this call repeatedly as new logs are added to the same directory (e.g. every hour).

One common scenario is to have a rolling database that imports new logs every hour and always has the last 24 hours worth of logs in it. Typically, Zeek logs will be placed in /opt/zeek/logs/<date> which means that the directory will change every day. To accommodate this, you can use the following command in a cron job or other task scheduler that runs once per hour.

rita import --rolling /opt/zeek/logs/$(date --date='-1 hour' +\%Y-\%m-\%d)/ dataset_name

RITA cycles data into and out of rolling databases in "chunks". You can think of each chunk as one hour, and the default being 24 chunks in a dataset. This gives the ability to always have the most recent 24 hours' worth of data available. But chunks are generic enough to accommodate non-default Zeek logging configurations or data retention times as well. See the Rolling Datasets documentation for advanced options.

Note: dataset_name is simply a name of your choosing. We recommend a descriptive name such as the hostname or location of where the data was captured. Stick with letters, numbers, and underscores. Periods and other special characters are not allowed.

Examining Data With RITA

  • Use the show-X commands
    • show-databases: Print the datasets currently stored
    • show-beacons: Print hosts which show signs of C2 software
    • show-bl-hostnames: Print blacklisted hostnames which received connections
    • show-bl-source-ips: Print blacklisted IPs which initiated connections
    • show-bl-dest-ips: Print blacklisted IPs which received connections
    • show-dns-fqdn-ips: Print IPs associated with a specified FQDN
    • show-exploded-dns: Print dns analysis. Exposes covert dns channels
    • show-long-connections: Print long connections and relevant information
    • show-strobes: Print connections which occurred with excessive frequency
    • show-useragents: Print user agent information
  • By default, RITA displays data in CSV format
    • -d [DELIM] delimits the data by [DELIM] instead of a comma
      • Strings can be provided instead of single characters if desired, e.g. rita show-beacons -d "---" dataset_name
    • -H displays the data in a human readable format
      • This takes precedence over the -d option
    • Piping the human readable results through less -S prevents word wrapping
      • Ex: rita show-beacons dataset_name -H | less -S
  • Create a html report with html-report

Getting help

Please create an issue on GitHub if you have any questions or concerns.

Contributing to RITA

To contribute to RITA visit our Contributing Guide

License

GNU GPL V3 © Active Countermeasures ™

More Repositories

1

BeaKer

Beacon Kibana Executable Report. Aggregates Sysmon Network Events With Elasticsearch and Kibana
Shell
281
star
2

passer

Passive service locator, a python sniffer that identifies servers, clients, names and much more
Python
240
star
3

threat-tools

Tools for simulating threats
Python
166
star
4

rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Go
97
star
5

threat-hunting-labs

Collection of walkthroughs on various threat hunting techniques
HTML
73
star
6

espy

Endpoint detection for remote hosts for consumption by RITA and Elasticsearch
Go
66
star
7

docker-zeek

Run zeek with zeekctl in docker
Shell
44
star
8

smudge

Passive OS detection based on SYN packets without Transmitting any Data
Python
42
star
9

pcap-stats

Learn about a network from a pcap file or reading from an interface
Python
25
star
10

bro-install

An Installation Script for Bro IDS on Debian Based Systems
Shell
19
star
11

zcutter

Extracts fields from zeek logs, compatible with zeek-cut
Python
17
star
12

devprof

Device profile: Define acceptable amounts of traffic for your devices and see a report of outliers.
Python
16
star
13

sniffer-template

Template for building a packet sniffer
Python
15
star
14

zeek-open-connections

Zeek
12
star
15

ipfix-rita

Collect IPFIX / Netflow v9 Records and Ship them to RITA for Analysis
Go
10
star
16

rita-bl

Real Intelligence Threat Analytics -- Blacklist Database
Go
8
star
17

mongo-diff

A Python script for diff'ing mongo databases
Python
8
star
18

zeekcfg

A node.cfg generator for zeekctl
Go
6
star
19

zeek-log-transport

This script ships logs from Zeek to AC-Hunter
Shell
5
star
20

pi_show

Python script/library for displaying text and graphics on Raspberry Pi PiOled Hat
Python
5
star
21

shell-lib

Shell Scripts Used Across ActiveCM Projects
Shell
5
star
22

certificate-issues

Identifies certificate problems from Zeek ssl log files
Shell
5
star
23

pi_project_installer

A support library and set of scripts to simplify installing software on the Raspberry Pi/Raspbian
Shell
5
star
24

rita-blacklist

Real Intelligence Threat Analytics -- Blacklist Database
Go
5
star
25

mgosec

A Small Helper Library For Securing MongoDB Connections with Golang
Go
4
star
26

bro-rita

A bro plugin for writing log data to MongoDB for use with RITA
C++
3
star
27

safelist-tools

Tools for working with the safelist (formerly whitelist)
Go
3
star
28

docker-ca

A Docker Image For OpenSSL Certificate Authorities (For Testing)
Shell
2
star
29

pcap-resources

Support files and tools for pcap analysis and packet capture
2
star
30

zeek-log-clean

Delete Zeek log files until disk usage is under a given threshold
Shell
2
star
31

save_json_stream

JSON TCP stream importer for RITA and AC-Hunter
Python
1
star
32

DBTest

Managed Integration Testing Dependencies via Docker for Go
Go
1
star
33

bro-rita-test

Compares bro-rita against rita's built in parsing
Shell
1
star
34

bro-mongodb

C++
1
star