RITA v4.4 releases: Real Intelligence Threat Analytics

Real Intelligence Threat Analytics (RITA) is an open-source framework for network traffic analysis.

The framework ingests Bro Logs, and currently supports the following analysis features:

• Beaconing Detection: Search for signs of beaconing behavior in and out of your network
• DNS Tunneling Detection Search for signs of DNS based covert channels
• Blacklist Checking: Query blacklists to search for suspicious domains and hosts
• URL Length Analysis: Search for lengthy URLs indicative of malware
• Scanning Detection: Search for signs of port scans in your network

Changelog v4.4

Changes:

• Add timestamp to HTML report templates (#662)
• Use the past 24 hours of data to analyze proxy beacons rather than just the last hour (#690)
• The RITA parser has been updated with a number of performance tweaks (#654, #695)
• Gather IPs for FQDN beacon analysis using DNS lookups from the past 24 hours of data rather than just the last hour (#676, #700)
• Drop stobe limit down to 86400 (#697)
• Add option to configuration file which filters out connections from external hosts to internal hosts (#655)

Bug Fixes:

• Add unique indexes to beaconFQDN and beaconProxy collections (#689)
• Add additional indexes to host collection (#687)
• Prevented duplicate threat intel records from being created in the host collection (#683)
• Fixed a bug where threat intel records in the host collection were not being updated when using rolling imports (#683)
• Fixed a bug where the max beacon score listed in the host collection for a pair of hosts would never decrease when using rolling imports (#683)
• Fixed a bug where rare signature entries might not be added to the host collection due to a race condition (#683)
• Fixed a bug where the connection counts for each host in the host collection were under-counted when using rolling imports (#683)
• Removed unused/ broken code in max duration analysis (#683)

Installation

• Download the latest install.sh file from the release page
• Make the installer executable: chmod +x ./install.sh
• Run the installer: sudo ./install.sh
• Start MongoDB: sudo service mongod start

API Keys

RITA relies on the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.

To obtain an API key:

• Go to the Google cloud platform console.
• From the projects list, select a project or create a new one.
• If the API Manager page is not already open, open the left side menu and select the API Manager.
• On the left, choose Credentials.
• Click Create credentials and then select the API key.
• Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
• On the left, choose Library.
• Search for Safe Browsing.
• Click on Google Safe Browsing API.
• Near the top, click Enable.

Use

Source: https://github.com/activecm/