Forensics Networking

RITA v2.0.0 releases: Real Intelligence Threat Analytics

do son February 14, 2019 No Comments Real Intelligence Threat Analytics

Real Intelligence Threat Analytics (RITA) is an open source framework for network traffic analysis.

The framework ingests Bro Logs, and currently supports the following analysis features:

  • Beaconing Detection: Search for signs of beaconing behaviour in and out of your network
  • DNS Tunneling Detection Search for signs of DNS based covert channels
  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts
  • URL Length Analysis: Search for lengthy URLs indicative of malware
  • Scanning Detection: Search for signs of port scans in your network

Changelog v2.0.0

Changes:

  • Added bro to path by default (no prompt) (#321)
  • Implement default config values (#329)
  • Move hard-coded connection limit to config file (#311)
  • Added strobes display to command line and html reporting (#320)
  • Update blacklisted analysis (#310)
  • Made blacklist database configurable (#310)
  • Updated analysis, reset, and delete commands (#324)
  • Added NeverInclude to Filtering config section which allows for whitelisting (#328)
  • Enabling NeverInclude values by default (#336)
  • Change Logging directory structure (#339)
  • Create config options for disabling modules (#342)
  • Refuse to run import if InternalSubnets is not configured (#341)
  • InternalSubnets & Upgrading Documentation (#373)
  • Setting local_ Bro values based on InternalSubnets (#350)

Bugfixes:

  • Prevent freqConn collection from being reset (#323)
  • Added total duration field into uconns (#318)
  • Fixed show databases issue (#326)

Config file changes:

  • Added Enabled flags to each section to allow turning analysis modules on or off individually. All are enabled by default.
  • Filtering section added to defaults.
  • Filtering: NeverInclude section added and initialized to safe universal values.
  • Filtering: InternalSubnets section commented out by default. ❗️ IMPORTANT ❗️ This config section must be filled out before RITA will process new data.

General Notes:
This release includes new aliases and flags to commands to help streamline workflow.

  • reset-analysis -> reset. Added flag -f|--force to bypass prompt.
  • analyze. Added flag -r|--reset to automatically perform reset without prompting followed by analyze.
  • delete-database -> delete. Added -f|--force flag to bypass prompt.

Installation

  • Download the latest install.sh file from the release page
  • Make the installer executable: chmod +x ./install.sh
  • Run the installer: sudo ./install.sh
  • Start MongoDB: sudo service mongod start

API Keys

RITA relies on the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.

To obtain an API key:

  • Go to the Google cloud platform console.
  • From the projects list, select a project or create a new one.
  • If the API Manager page is not already open, open the left side menu and select API Manager.
  • On the left, choose Credentials.
  • Click Create credentials and then select API key.
  • Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
  • On the left, choose Library.
  • Search for Safe Browsing.
  • Click on Google Safe Browsing API.
  • Near the top, click Enable.

Use

Source: https://github.com/activecm/

Share