If you get value out of RITA and would like to go a step further with hunting automation, futuristic visualizations, and data encrichment take a look at AI-Hunter.
Sponsored by Active Countermeasures.
RITA is an open source framework for network traffic analysis.
The framework ingests Zeek Logs in TSV format, and currently supports the following major features:
Please see our recommended System Requirements document if you wish to use RITA in a production environment.
RITA provides an install script that works on Ubuntu 18.04 LTS, Ubuntu 16.04 LTS, Security Onion, and CentOS 7.
Download the latest
install.sh file here and make it executable:
chmod +x ./install.sh
Then choose one of the following install methods:
sudo ./install.sh will install RITA as well as supported versions of Zeek and MongoDB. This is suitable if you want to get started as quickly as possible or you don't already have Zeek or MongoDB.
sudo ./install.sh --disable-zeek --disable-mongo will install RITA only, without Zeek or MongoDB. You may also use these flags individually.
To install each component of RITA by manually see here.
See this guide for upgrade instructions.
RITA's config file is located at
/etc/rita/config.yaml though you can specify a custom path on individual commands with the
-c command line flag.
Filtering: InternalSubnetssection must be configured or you will not see any results in certain modules (e.g. beacons, long connections). If your network uses the standard RFC1918 internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) you don't need to do anything as the default
InternalSubnetssection already has these. Otherwise, adjust this section to match your environment. RITA's main purpose is to find the signs of a compromised internal system talking to an external system and will automatically exclude internal to internal connections and external to external connections from parts of the analysis.
You may also wish to change the defaults for the following option:
Filtering: AlwaysInclude- Ranges listed here are exempt from the filtering applied by the
InternalSubnetssetting. The main use for this is to include internal DNS servers so that you can see the source of any DNS queries made.
Note that any value listed in the
Filtering section should be in CIDR format. So a single IP of
192.168.1.1 would be written as
Option 1: Generate PCAPs outside of Zeek
Option 2: Install Zeek and let it monitor an interface directly [instructions]
After installing RITA, setting up the
InternalSubnets section of the config file, and collecting some Zeek logs, you are ready to begin hunting.
RITA can process TSV, JSON, and JSON streaming Zeek log file formats. These logs can be either plaintext or gzip compressed.
This is the simplest usage and is great for analyzing a collection of Zeek logs in a single directory. If you expect to have more logs to add to the same analysis later see the next section on Rolling Datasets.
rita import path/to/your/zeek_logs dataset_name`
Every log file in the supplied directory will be imported into a dataset with the given name. However, files in nested directories will not be processed.
Rolling datasets allow you to progressively analyze log data over a period of time as it comes in.
rita import --rolling /path/to/your/zeek_logs dataset_name
You can make this call repeatedly as new logs are added to the same directory (e.g. every hour).
One common scenario is to have a rolling database that imports new logs every hour and always has the last 24 hours worth of logs in it. Typically, Zeek logs will be placed in
/opt/zeek/logs/<date> which means that the directory will change every day. To accommodate this, you can use the following command in a cron job or other task scheduler that runs once per hour.
rita import --rolling /opt/zeek/logs/$(date --date='-1 hour' +\%Y-\%m-\%d)/ dataset_name
RITA cycles data into and out of rolling databases in "chunks". You can think of each chunk as one hour, and the default being 24 chunks in a dataset. This gives the ability to always have the most recent 24 hours' worth of data available. But chunks are generic enough to accommodate non-default Zeek logging configurations or data retention times as well. See the Rolling Datasets documentation for advanced options.
show-databases: Print the datasets currently stored
show-beacons: Print hosts which show signs of C2 software
show-bl-hostnames: Print blacklisted hostnames which received connections
show-bl-source-ips: Print blacklisted IPs which initiated connections
show-bl-dest-ips: Print blacklisted IPs which received connections
show-exploded-dns: Print dns analysis. Exposes covert dns channels
show-long-connections: Print long connections and relevant information
show-strobes: Print connections which occurred with excessive frequency
show-useragents: Print user agent information
-d [DELIM]delimits the data by
[DELIM]instead of a comma
rita show-beacons -d "---" dataset_name
-Hdisplays the data in a human readable format
less -Sprevents word wrapping
rita show-beacons dataset_name -H | less -S
Please create an issue on GitHub if you have any questions or concerns.
To contribute to RITA visit our Contributing Guide
GNU GPL V3 © Active Countermeasures ™