-
Notifications
You must be signed in to change notification settings - Fork 521
RITA
Please note! This wiki is no longer maintained. Our documentation has moved to https://securityonion.net/docs/. Please update your bookmarks. You can find the latest version of this page at: https://securityonion.net/docs/RITA.
From: https://github.com/activecm/rita
RITA is an open source framework for network traffic analysis.
The framework ingests Bro Logs, and currently supports the following analysis features:
Beaconing: Search for signs of beaconing behavior in and out of your network DNS Tunneling Search for signs of DNS based covert channels Blacklisted: Query blacklists to search for suspicious domains and hosts URL Length Analysis: Search for lengthy URLs indicative of malware Scanning: Search for signs of port scans in your network
We can add RITA to Security Onion to enhance its current capabilities and leverage the great work from the folks at Active Countermeasures. They've done a fantastic job of allowing RITA to be easy to integrate with Security Onion.
Please keep in mind we do not officially support RITA, so installation is at your own risk.
Additionally, RITA currently only supports use of Bro logs in TSV format. If you ware running the latest version of Security Onion, you will need to switch from JSON to TSV format by following the steps here:
https://github.com/Security-Onion-Solutions/security-onion/wiki/Bro#tsv
To install RITA on Security Onion:
Download the install script:
wget https://raw.githubusercontent.com/activecm/rita/master/install.sh
Make the installer executable:
chmod +x install.sh
Run the installer:
sudo ./install.sh
Start MongoDB:
sudo service mongod start
You can then import logs with:
rita import /nsm/bro/logs dataset1
Then have RITA analyze the imported data:
rita analyze
To see the most visited URLs:
rita show-most-visited-urls dataset1
To see long connections, type:
rita show-long-connections dataset1
To see beacons, type:
rita show-beacons dataset1
Finally, you can issue an HTML report (viewable in browser) by typing:
rita html-report
See other available commands with:
rita --help
If you don't want to specify your the path for your Bro logs, you'll want to change the value for ImportDirectory
in /etc/rita/config.yaml
to /nsm/bro/logs
.
For additional information, see:
https://github.com/activecm/rita
- Introduction
- Use Cases
- Hardware Requirements
- Release Notes
- Download/Install
- Booting Issues
- After Installation
- UTC and Time Zones
- Services
- VirtualBox Walkthrough
- VMWare Walkthrough
- Videos
- Architecture
- Cheat Sheet
- Conference
- Elastic Stack
- Elastic Architecture
- Elasticsearch
- Logstash
- Kibana
- ElastAlert
- Curator
- FreqServer
- DomainStats
- Docker
- Redis
- Data Fields
- Beats
- Pre-Releases
- ELSA to Elastic
- Network Configuration
- Proxy Configuration
- Firewall/Hardening
- Email Configuration
- Integrating with other systems
- Changing IP Addresses
- NTP
- Managing Alerts
- Managing Rules
- Adding Local Rules
- Disabling Processes
- Filtering with BPF
- Adjusting PF_RING for traffic
- MySQL Tuning
- Adding a new disk
- High Performance Tuning
- Trimming PCAPs