RITA v4.7 releases: Real Intelligence Threat Analytics
Real Intelligence Threat Analytics (RITA) is an open-source framework for network traffic analysis.
The framework ingests Bro Logs, and currently supports the following analysis features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
- URL Length Analysis: Search for lengthy URLs indicative of malware
- Scanning Detection: Search for signs of port scans in your network
Changelog v4.7
Changes:
- Improved beacon scoring algorithms by filtering out bursty connections (#773, #774)
- Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Web beacons module (#774)
- Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Proxy beacons module (#778)
- Added filter to drop proxied traffic which is entirely on the internal network (#765)
- Added
rita clean
command to remove RITA datasets without MetaDB entries (#763) - Removed FQDN Beacons module due to poor performance (#771)
- Removed per-host DNS command and control analysis due to overflowing document sizes (#762)
- Added better error reporting to the install script. Removed support for Ubuntu 18 and Debian 10. (#776)
Bug Fixes:
- Stop host aggregation phase if there aren’t any local hosts (#761)
- Check if a max analysis subdocument has already been inserted into the target host’s
dat
collection before updating or inserting (#764) - Fix strobes from overflooding database documents when strobing is cumulative (#767)
- Ensure bulk writes don’t break 16MB limit (#770)
Installation
- Download the latest install.sh file from the release page
- Make the installer executable: chmod +x ./install.sh
- Run the installer: sudo ./install.sh
- Start MongoDB: sudo service mongod start
API Keys
RITA relies on the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.
To obtain an API key:
- Go to the Google cloud platform console.
- From the projects list, select a project or create a new one.
- If the API Manager page is not already open, open the left side menu and select the API Manager.
- On the left, choose Credentials.
- Click Create credentials and then select the API key.
- Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
- On the left, choose Library.
- Search for Safe Browsing.
- Click on Google Safe Browsing API.
- Near the top, click Enable.
Use
Source: https://github.com/activecm/