RITA is an open source framework for network traffic analysis.
The framework ingests Bro/Zeek Logs in TSV format, and currently supports the following major features:
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
- DNS Tunneling Detection Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
The automatic installer is officially supported on Ubuntu 16.04 LTS, Security Onion*, and CentOS 7
- Download the latest
install.shfile from the release page
- Make the installer executable:
chmod +x ./install.sh
- Run the installer:
* Please see the Security Onion RITA wiki page for further information pertaining to using RITA on Security Onion.
To install each component of RITA by hand, check out the instructions in the docs.
See this guide for upgrade instructions.
- Operating System – The preferred platform is 64-bit Ubuntu 16.04 LTS. The system should be patched and up to date using apt-get.
- Processor (when installed alongside Bro/Zeek) – Two cores plus an additional core for every 100 Mb of traffic being captured. (three cores minimum). This should be dedicated hardware, as resource congestion with other VMs can cause packets to be dropped or missed.
- Memory – 16GB minimum. 64GB if monitoring 100Mb or more of network traffic. 128GB if monitoring 1Gb or more of network traffic.
- Storage – 300GB minimum. 1TB or more is recommended to reduce log maintenance.
- Network – In order to capture traffic with Bro/Zeek, you will need at least 2 network interface cards (NICs). One will be for management of the system and the other will be the dedicated capture port. Intel NICs perform well and are recommended.
RITA’s config file is located at
/etc/rita/config.yaml though you can specify a custom path on individual commands with the
-c command line flag.
Filtering: InternalSubnetssection must be configured or you will not see any results in certain modules (e.g. beacons, long connections). If your network uses the standard RFC1918 internal IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) you just need uncomment the default
InternalSubnetssection already in the config file. Otherwise, adjust this section to match your environment. RITA’s main purpose is to find the signs of a compromised internal system talking to an external system and will automatically exclude internal to internal connections and external to external connections from parts of the analysis.
You may also wish to change the defaults for the following option:
Filtering: AlwaysInclude– Ranges listed here are exempt from the filtering applied by the
InternalSubnetssetting. The main use for this is to include internal DNS servers so that you can see the source of any DNS queries made.
Note that any value listed in the
Filtering section should be in CIDR format. So a single IP of
192.168.1.1 would be written as
Obtaining Data (Generating Bro/Zeek Logs):
- Option 1: Generate PCAPs outside of Bro/Zeek
- Option 2: Install Bro/Zeek and let it monitor an interface directly [instructions]
Importing and Analyzing Data With RITA
After installing RITA, setting up the
InternalSubnets section of the config file, and collecting some Bro/Zeek logs, you are ready to begin hunting.
Filtering and whitelisting happens at import time. These optional settings can be found alongside
InternalSubnets in the configuration file.
RITA will process Bro/Zeek TSV logs in both plaintext and gzip compressed formats. Note, if you are using Security Onion or Bro’s JSON log output you will need to switch back to traditional TSV output.
- Option 1: Create a One-Off Dataset
rita import path/to/your/bro_logs dataset_namecreates a dataset from a collection of Bro/Zeek logs in a directory
- Every log file directly in the supplied directory will be imported into a dataset with the given name
- If you import more data into the same dataset, RITA will automatically convert it into a rolling dataset.
- Option 2: Create a Rolling Dataset
- Rolling datasets allow you to progressively analyze log data over a period of time as it comes in.
- You can call rita like this:
rita import --rolling /path/to/your/bro_logsand make this call repeatedly as new logs are generated (e.g. every hour)
- RITA cycles data into and out of rolling databases in “chunks”. You can think of each chunk as one hour, and the default being 24 chunks in a dataset. This gives the ability to always have the most recent 24 hours’ worth of data available. But chunks are generic enough to accommodate non-default Bro logging configurations or data retention times as well.
Please see the above section for the simplest use case of rolling datasets. This section covers the various options you can customize and more complicated use cases.
Each rolling dataset has a total number of chunks it can hold before it rotates data out. For instance, if the dataset currently contains 24 chunks of data and is set to hold a max of 24 chunks then the next chunk to be imported will automatically remove the first chunk before brining the new data in. This will result in a database that still contains 24 chunks. If each chunk contains an hour of data your dataset will have 24 hours of data in it. You can specify the number of chunks manually with
--numchunks when creating a rolling database but if this is omitted RITA will use the
Rolling: DefaultChunks value from the config file.
Likewise, when importing a new chunk you can specify a chunk number that you wish to replace in a dataset with
--chunk. If you leave this off RITA will auto-increment the chunk for you. The chunk must be 0 (inclusive) through the total number of chunks (exclusive). This must be between 0 (inclusive) and the total number of chunks (exclusive). You will get an error if you try to use a chunk number greater or equal to the total number of chunks.
All files and folders that you give RITA to import will be imported into a single chunk. This could be 1 hour, 2 hours, 10 hours, 24 hours, or more. RITA doesn’t care how much data is in each chunk so even though it’s normal for each chunk to represent the same amount of time, each chunk could have a different number of hours of logs. This means that you can run RITA on a regular interval without worrying if systems were offline for a little while or the data was delayed. You might get a little more or less data than you intended but as time passes and new data is added it will slowly correct itself.
Example: If you wanted to have a dataset with a week’s worth of data you could run the following rita command once per day.
rita import --rolling --numchunks 7 /opt/bro/logs/current week-dataset
This would import a day’s worth of data into each chunk and you’d get a week’s in total. After the first 7 days were imported, the dataset would rotate out old data to keep the most recent 7 days’ worth of data. Note that you’d have to make sure new logs were being added to in
/opt/bro/logs/current in this example.
Example: If you wanted to have a dataset with 48 hours of data you could run the following rita command every hour.
rita import --rolling --numchunks 48 /opt/bro/logs/current 48-hour-dataset
Examining Data With RITA
- Use the show-X commands
show-databases: Print the datasets currently stored
show-beacons: Print hosts which show signs of C2 software
show-bl-hostnames: Print blacklisted hostnames which received connections
show-bl-source-ips: Print blacklisted IPs which initiated connections
show-bl-dest-ips: Print blacklisted IPs which received connections
show-exploded-dns: Print dns analysis. Exposes covert dns channels
show-long-connections: Print long connections and relevant information
show-strobes: Print connections which occurred with excessive frequency
show-useragents: Print user agent information
- By default RITA displays data in CSV format
-Hdisplays the data in a human readable format
- Piping the human readable results through
less -Sprevents word wrapping
rita show-beacons dataset_name -H | less -S
- Create a html report with
This is only an educational purposes only I am not responsible for further activities
Join my forum and learn more ethical hacking and penetration testing
Get me at