**Introduction to the Tool**
RITA is an open-source framework specifically designed for network traffic analysts and testers. Researchers can utilize RITA for in-depth analysis of collected security threat intelligence.
RITA can read Bro/Zeek logs in TSV format, and the tool currently supports the following main features:
> 1. Beacon Detection: Identify all beaconing activities within the target network.
> 2. DNS Tunnel Detection: Identify markers for covert communication channels based on DNS.
> 3. Blacklist Detection: Query blacklists to identify suspicious domains and hosts.
**Tool Installation**
# **Automated Installation**
RITA’s automated installer currently supports Ubuntu 16.04 LTS, Security Onion*, and CentOS 7.
1. Download the latest version of the install.sh file from the RITA project’s [**Release Page**].
2. Grant execute permission to the install.sh script:
bash
chmod +x ./install.sh
3. Run the installer using the following command:
bash
sudo ./install.sh
For using RITA on the Security Onion platform, please refer to this [article](https://securityonion.net/docs/RITA).
# **Manual Installation**
Build RITA from source:
bash
go get github.com/activecm/rita(git clone [email protected]:activecm/rita.git)
cd $GOPATH/src/github.com/activecm/rita
make
Configure the system:
bash
sudo mkdir /etc/rita && sudo chmod 755 /etc/rita
sudo mkdir -p /var/lib/rita/logs && sudo chmod -R 755 /var/lib/rita
sudo cp $GOPATH/src/github.com/activecm/rita/etc/rita.yaml /etc/rita/config.yaml && sudo chmod 666 /etc/rita/config.yaml
**Using the Tool**
# **System Requirements**
> 1. OS: 64-bit Ubuntu 16.04 LTS, updated with “apt-get.”
> 2. Processor: At least three cores; resource competition with other VMs may lead to packet loss.
> 3. Memory: At least 16GB RAM; 64GB RAM for monitoring traffic over 100MB; 128GB RAM for over 1GB of network traffic.
> 4. Storage: At least 300GB, with 1TB or more recommended.
> 5. Network: At least two NICs are needed when integrating with Bro/Zeek, one for system management, and another for port traffic capture.
# **Configuration File**
Filtering: InternalSubnets is mandatory for viewing analysis results. If your network uses standard RFC1918, with internal IP ranges 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, you need to uncomment the InternalSubnets data field in the configuration file and modify parameters according to your environment. RITA’s primary goal is to identify and filter communication between compromised internal systems and external systems, automatically filtering internal endpoint communication.
Besides Filtering: InternalSubnets, you may also need to configure Filtering: AlwaysInclude, which is a whitelist that specifies necessary filtering content.
# **Acquiring Data (Generating Bro/Zeek Logs)**
Option 1: Generate PCAP
Use a packet-sniffing tool to generate PCAP files, such as **tcpdump** or **wireshark**.
(Optional) Merge multiple PCAP files into a single file:
bash
mergecap -w outFile.pcap inFile1.pcap inFile2.pcap
Alternatively, use Bro/Zeek logs to generate PCAP files:
bash
bro -r pcap_to_log.pcap local “Log::default_rotation_interval = 1 day”
Option 2: Install Bro/Zeek and directly monitor the target interface.
For performance reasons, you may need to compile the Bro/Zeek source; this script can handle automated compilation.
RITA automated installer defaults to precompile the Bro/Zeek source; just provide the “—disable-bro” parameter when running the installer.
**Usage Example**
To obtain valuable threat intelligence data of the week, you can directly use the following RITA command:
bash
rita import –rolling –numchunks 7 /opt/bro/logs/current week-dataset
To obtain valuable threat intelligence data within 48 hours, use the following RITA command:
bash
rita import –rolling –numchunks 48 /opt/bro/logs/current 48-hour-dataset
**Using RITA Test Data**
# **Using show-X Commands:**
> 1. show-databases: Output current stored datasets.
> 2. show-beacons: Print a list of hosts showing C2 signatures.
> 3. show-bl-hostnames: Print a list of hostnames receiving connections on the blacklist.
> 4. show-bl-source-ips: Print a list of IP addresses initiating connections on the blacklist.
> 5. show-bl-dest-ips: Print a list of IP addresses receiving connections on the blacklist.
> 6. show-exploded-dns: Print DNS analysis results, showing covert DNS channels.
> 7. show-long-connections: Print long connections and related information.
> 8. show-strobes: Print high-frequency connections.
> 9. show-useragents: Print user agent information.
# **Displaying Data in CSV/HTML Format:**
> 1. -H: Display data in a human-readable format.
> 2. html-report: Generate an HTML report.
**Project Address**
> RITA: [https://github.com/activecm/rita](https://github.com/activecm/rita)
# **License Agreement**
The RITA project follows the GNU GPL v3 open-source license agreement.
**Note: Translated content was derived from sources, including activecm, FB contributor Alpha_h4ck compilation. Attribution required from FreeBuf.COM**
[**dns**](#), [**tcp/ip**](#), [**packaging**](#)