Appearance
RITA Real Intelligence Threat Analytics Cheat Sheet
Overview
RITA (Real Intelligence Threat Analytics) is an open-source framework for network traffic analysis that ingests Zeek (formerly Bro) logs and detects indicators of compromise through statistical analysis. It identifies beaconing behavior, DNS tunneling, long connections, and other suspicious network activities commonly associated with advanced persistent threats (APTs).
⚠️ Warning: This tool is intended for authorized network monitoring and security analysis only. Ensure you have proper authorization before analyzing network traffic.
Installation
Ubuntu/Debian Installation
bash
# Add MongoDB repository
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc | sudo apt-key add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse" | sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
# Update package list
sudo apt update
# Install MongoDB
sudo apt install -y mongodb-org
# Start MongoDB service
sudo systemctl start mongod
sudo systemctl enable mongod
# Install RITA
wget https://github.com/activecm/rita/releases/download/v4.8.0/rita
chmod +x rita
sudo mv rita /usr/local/bin/
# Verify installation
rita --versionDocker Installation
bash
# Clone RITA repository
git clone https://github.com/activecm/rita.git
cd rita
# Build Docker containers
docker-compose up -d
# Run RITA in container
docker-compose exec rita rita --versionManual Installation
bash
# Install Go (if not already installed)
wget https://golang.org/dl/go1.19.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build RITA
git clone https://github.com/activecm/rita.git
cd rita
make install
# Copy binary to system path
sudo cp rita /usr/local/bin/Configuration
Initial Setup
bash
# Create RITA configuration directory
sudo mkdir -p /etc/rita
# Generate default configuration
rita test-config
# Copy configuration file
sudo cp etc/rita.yaml /etc/rita/config.yaml
# Edit configuration
sudo nano /etc/rita/config.yamlConfiguration File Structure
yaml
# /etc/rita/config.yaml
MongoDB:
ConnectionString: mongodb://localhost:27017
AuthenticationMechanism: ""
SocketTimeout: 2
TLS:
Enable: false
VerifyCertificate: false
CAFile: ""
LogLevel: 2
LogPath: "/var/lib/rita/logs"
Rolling:
DefaultChunks: 24
Filtering:
AlwaysInclude: []
NeverInclude: []
InternalSubnets: []
UserInterface:
DefaultResultLimit: 1000
Blacklisted:
feodo.abuse.ch: true
malwaredomainlist.com: true
BeaconSNI:
DefaultConnectionThresh: 20
DNS:
DefaultConnectionThresh: 20
Strobe:
ConnectionLimit: 250000Database Configuration
bash
# Test MongoDB connection
mongo --eval "db.runCommand({connectionStatus : 1})"
# Create RITA database user (optional)
mongo admin --eval "
db.createUser({
user: 'rita_user',
pwd: 'secure_password',
roles: [
{role: 'readWrite', db: 'rita'},
{role: 'readWrite', db: 'MetaDatabase'}
]
})
"
# Update config for authentication
sudo nano /etc/rita/config.yaml
# Add authentication details to MongoDB sectionBasic Usage
Command Structure
bash
# Basic syntax
rita [command] [options]
# Get help
rita --help
rita [command] --help
# Check version
rita --versionAvailable Commands
| Command | Description |
|---|---|
import | Import Zeek logs into RITA database |
analyze | Analyze imported data for threats |
show-databases | List available databases |
show-beacons | Display beacon analysis results |
show-strobes | Display strobe analysis results |
show-dns | Display DNS analysis results |
show-blacklisted | Display blacklisted connections |
show-useragents | Display user agent analysis |
show-long-connections | Display long connection analysis |
delete | Delete database |
test-config | Test configuration file |
Data Import and Analysis
Importing Zeek Logs
bash
# Import single log directory
rita import /path/to/zeek/logs dataset_name
# Import with specific time range
rita import --rolling /path/to/zeek/logs dataset_name
# Import compressed logs
rita import /path/to/zeek/logs.tar.gz dataset_name
# Import with custom chunk size
rita import --chunk-size 1000000 /path/to/zeek/logs dataset_name
# Import and analyze immediately
rita import --analyze /path/to/zeek/logs dataset_nameRunning Analysis
bash
# Analyze imported dataset
rita analyze dataset_name
# Analyze with custom parameters
rita analyze --threads 4 dataset_name
# Analyze specific modules only
rita analyze --beacon --dns dataset_name
# Force re-analysis
rita analyze --force dataset_nameDatabase Management
bash
# List all databases
rita show-databases
# Show database information
rita show-databases --details
# Delete database
rita delete dataset_name
# Delete multiple databases
rita delete dataset1 dataset2 dataset3Threat Detection Modules
Beacon Detection
bash
# Show beacon analysis results
rita show-beacons dataset_name
# Show top beacons with details
rita show-beacons --limit 20 dataset_name
# Show beacons for specific source
rita show-beacons --src 192.168.1.100 dataset_name
# Export beacon results to CSV
rita show-beacons --csv dataset_name > beacons.csv
# Show beacon details with human-readable format
rita show-beacons --human-readable dataset_nameDNS Analysis
bash
# Show DNS analysis results
rita show-dns dataset_name
# Show DNS tunneling indicators
rita show-dns --limit 50 dataset_name
# Show DNS for specific domain
rita show-dns --domain suspicious.com dataset_name
# Export DNS results
rita show-dns --csv dataset_name > dns_analysis.csv
# Show DNS with subdomain analysis
rita show-dns --subdomain-analysis dataset_nameLong Connection Analysis
bash
# Show long connections
rita show-long-connections dataset_name
# Show connections longer than specific duration
rita show-long-connections --duration 3600 dataset_name
# Show long connections for specific host
rita show-long-connections --src 192.168.1.100 dataset_name
# Export long connections
rita show-long-connections --csv dataset_name > long_connections.csvStrobe Detection
bash
# Show strobe analysis (port scanning)
rita show-strobes dataset_name
# Show strobes with specific threshold
rita show-strobes --limit 10 dataset_name
# Show strobes for specific source
rita show-strobes --src 192.168.1.100 dataset_name
# Export strobe results
rita show-strobes --csv dataset_name > strobes.csvBlacklisted Connections
bash
# Show blacklisted connections
rita show-blacklisted dataset_name
# Show blacklisted with details
rita show-blacklisted --details dataset_name
# Show blacklisted for specific source
rita show-blacklisted --src 192.168.1.100 dataset_name
# Export blacklisted connections
rita show-blacklisted --csv dataset_name > blacklisted.csvUser Agent Analysis
bash
# Show user agent analysis
rita show-useragents dataset_name
# Show rare user agents
rita show-useragents --rare dataset_name
# Show user agents for specific host
rita show-useragents --src 192.168.1.100 dataset_name
# Export user agent analysis
rita show-useragents --csv dataset_name > useragents.csvAdvanced Analysis Techniques
Custom Filtering
bash
# Analyze specific IP ranges
rita import --filter-internal 192.168.0.0/16,10.0.0.0/8 /path/to/logs dataset_name
# Exclude specific networks
rita import --filter-external 8.8.8.8/32 /path/to/logs dataset_name
# Custom time window analysis
rita import --start-time "2023-01-01 00:00:00" --end-time "2023-01-02 00:00:00" /path/to/logs dataset_nameThreat Hunting Queries
bash
# Find potential C2 beacons with high confidence
rita show-beacons --score-threshold 0.8 dataset_name
# Identify DNS tunneling attempts
rita show-dns --query-length-threshold 50 dataset_name
# Find long-duration connections (potential persistence)
rita show-long-connections --duration 7200 dataset_name
# Detect port scanning activity
rita show-strobes --connection-threshold 100 dataset_nameCross-Dataset Analysis
bash
# Compare multiple datasets
rita show-beacons dataset1 > beacons1.csv
rita show-beacons dataset2 > beacons2.csv
# Find common indicators across datasets
comm -12 <(cut -d',' -f1 beacons1.csv | sort) <(cut -d',' -f1 beacons2.csv | sort)
# Analyze trends over time
for dataset in dataset_day1 dataset_day2 dataset_day3; do
echo "=== $dataset ==="
rita show-beacons --limit 5 $dataset
doneAutomation and Scripting
Automated Analysis Pipeline
bash
#!/bin/bash
LOG_DIR="/var/log/zeek"
DATASET_PREFIX="daily_analysis"
RETENTION_DAYS=30
# Function to process daily logs
process_daily_logs() {
local date=$1
local dataset_name="${DATASET_PREFIX}_${date}"
local log_path="${LOG_DIR}/${date}"
if [ -d "$log_path" ]; then
echo "[+] Processing logs for $date"
# Import logs
rita import "$log_path" "$dataset_name"
# Run analysis
rita analyze "$dataset_name"
# Generate reports
generate_reports "$dataset_name" "$date"
echo "[+] Analysis complete for $date"
else
echo "[-] No logs found for $date"
fi
}
# Function to generate reports
generate_reports() {
local dataset=$1
local date=$2
local report_dir="/var/lib/rita/reports/${date}"
mkdir -p "$report_dir"
# Generate beacon report
rita show-beacons --csv "$dataset" > "${report_dir}/beacons.csv"
# Generate DNS report
rita show-dns --csv "$dataset" > "${report_dir}/dns.csv"
# Generate long connections report
rita show-long-connections --csv "$dataset" > "${report_dir}/long_connections.csv"
# Generate strobe report
rita show-strobes --csv "$dataset" > "${report_dir}/strobes.csv"
# Generate blacklisted report
rita show-blacklisted --csv "$dataset" > "${report_dir}/blacklisted.csv"
# Create summary report
create_summary_report "$dataset" "$report_dir"
}
# Function to create summary report
create_summary_report() {
local dataset=$1
local report_dir=$2
local summary_file="${report_dir}/summary.txt"
echo "RITA Analysis Summary for $dataset" > "$summary_file"
echo "Generated: $(date)" >> "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"
# Count findings
local beacon_count=$(rita show-beacons "$dataset" | wc -l)
local dns_count=$(rita show-dns "$dataset" | wc -l)
local long_conn_count=$(rita show-long-connections "$dataset" | wc -l)
local strobe_count=$(rita show-strobes "$dataset" | wc -l)
local blacklisted_count=$(rita show-blacklisted "$dataset" | wc -l)
echo "Findings Summary:" >> "$summary_file"
echo "- Beacons: $beacon_count" >> "$summary_file"
echo "- DNS Anomalies: $dns_count" >> "$summary_file"
echo "- Long Connections: $long_conn_count" >> "$summary_file"
echo "- Strobes: $strobe_count" >> "$summary_file"
echo "- Blacklisted: $blacklisted_count" >> "$summary_file"
echo "" >> "$summary_file"
# Top findings
echo "Top 5 Beacons:" >> "$summary_file"
rita show-beacons --limit 5 "$dataset" >> "$summary_file"
echo "" >> "$summary_file"
echo "Top 5 DNS Anomalies:" >> "$summary_file"
rita show-dns --limit 5 "$dataset" >> "$summary_file"
}
# Cleanup old datasets
cleanup_old_datasets() {
local cutoff_date=$(date -d "$RETENTION_DAYS days ago" +%Y-%m-%d)
rita show-databases | grep "$DATASET_PREFIX" | while read dataset; do
local dataset_date=$(echo "$dataset" | sed "s/${DATASET_PREFIX}_//")
if [[ "$dataset_date" < "$cutoff_date" ]]; then
echo "[+] Deleting old dataset: $dataset"
rita delete "$dataset"
fi
done
}
# Main execution
DATE=${1:-$(date -d "yesterday" +%Y-%m-%d)}
process_daily_logs "$DATE"
cleanup_old_datasetsReal-time Monitoring Script
bash
#!/bin/bash
ZEEK_LOG_DIR="/opt/zeek/logs/current"
RITA_DATASET="realtime_$(date +%Y%m%d_%H%M%S)"
CHECK_INTERVAL=300 # 5 minutes
ALERT_THRESHOLD_BEACONS=10
ALERT_THRESHOLD_DNS=20
# Function to check for new threats
check_threats() {
local dataset=$1
# Check beacon count
local beacon_count=$(rita show-beacons "$dataset" | wc -l)
if [ "$beacon_count" -gt "$ALERT_THRESHOLD_BEACONS" ]; then
send_alert "High beacon activity detected: $beacon_count beacons found"
rita show-beacons --limit 10 "$dataset" | mail -s "RITA Alert: Beacon Activity" security@company.com
fi
# Check DNS anomalies
local dns_count=$(rita show-dns "$dataset" | wc -l)
if [ "$dns_count" -gt "$ALERT_THRESHOLD_DNS" ]; then
send_alert "High DNS anomaly activity: $dns_count anomalies found"
rita show-dns --limit 10 "$dataset" | mail -s "RITA Alert: DNS Anomalies" security@company.com
fi
# Check for blacklisted connections
local blacklisted_count=$(rita show-blacklisted "$dataset" | wc -l)
if [ "$blacklisted_count" -gt 0 ]; then
send_alert "Blacklisted connections detected: $blacklisted_count connections"
rita show-blacklisted "$dataset" | mail -s "RITA Alert: Blacklisted Connections" security@company.com
fi
}
# Function to send alerts
send_alert() {
local message=$1
echo "[ALERT] $(date): $message"
logger "RITA_ALERT: $message"
# Send to SIEM or alerting system
curl -X POST -H "Content-Type: application/json" \
-d "{\"alert\":\"$message\",\"timestamp\":\"$(date -Iseconds)\"}" \
http://siem.company.com/api/alerts
}
# Main monitoring loop
echo "[+] Starting RITA real-time monitoring"
echo "[+] Dataset: $RITA_DATASET"
echo "[+] Check interval: $CHECK_INTERVAL seconds"
while true; do
echo "[+] $(date): Importing latest logs..."
# Import latest logs
rita import "$ZEEK_LOG_DIR" "$RITA_DATASET"
# Run analysis
rita analyze "$RITA_DATASET"
# Check for threats
check_threats "$RITA_DATASET"
echo "[+] $(date): Check complete, sleeping for $CHECK_INTERVAL seconds"
sleep "$CHECK_INTERVAL"
doneThreat Intelligence Integration
bash
#!/bin/bash
# Function to update threat intelligence feeds
update_threat_feeds() {
local config_file="/etc/rita/config.yaml"
local temp_config="/tmp/rita_config_temp.yaml"
echo "[+] Updating threat intelligence feeds..."
# Download latest IOCs
wget -q -O /tmp/feodo_tracker.txt "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
wget -q -O /tmp/malware_domains.txt "http://www.malwaredomainlist.com/hostslist/hosts.txt"
# Update RITA configuration with new feeds
cp "$config_file" "$temp_config"
# Add new blacklisted domains/IPs
python3 << EOF
import yaml
import requests
# Load current config
with open('$temp_config', 'r') as f:
config = yaml.safe_load(f)
# Update blacklisted section
if 'Blacklisted' not in config:
config['Blacklisted'] = {}
# Add Feodo tracker IPs
with open('/tmp/feodo_tracker.txt', 'r') as f:
for line in f:
ip = line.strip()
if ip and not ip.startswith('#'):
config['Blacklisted'][ip] = True
# Save updated config
with open('$temp_config', 'w') as f:
yaml.dump(config, f, default_flow_style=False)
EOF
# Backup original and update
cp "$config_file" "${config_file}.backup.$(date +%Y%m%d)"
sudo cp "$temp_config" "$config_file"
echo "[+] Threat intelligence feeds updated"
}
# Function to correlate with external threat intelligence
correlate_with_ti() {
local dataset=$1
local output_dir="/var/lib/rita/ti_correlation"
mkdir -p "$output_dir"
# Extract unique IPs from RITA results
rita show-beacons --csv "$dataset" | cut -d',' -f2 | sort -u > "${output_dir}/beacon_ips.txt"
rita show-dns --csv "$dataset" | cut -d',' -f2 | sort -u > "${output_dir}/dns_domains.txt"
# Check against VirusTotal (requires API key)
if [ ! -z "$VT_API_KEY" ]; then
echo "[+] Checking IPs against VirusTotal..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "x-apikey: $VT_API_KEY" \
"https://www.virustotal.com/vtapi/v2/ip-address/report?apikey=$VT_API_KEY&ip=$ip" \
>> "${output_dir}/vt_ip_results.json"
sleep 1 # Rate limiting
fi
done < "${output_dir}/beacon_ips.txt"
fi
# Check against AbuseIPDB (requires API key)
if [ ! -z "$ABUSEIPDB_API_KEY" ]; then
echo "[+] Checking IPs against AbuseIPDB..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "Key: $ABUSEIPDB_API_KEY" \
-H "Accept: application/json" \
"https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays=90" \
>> "${output_dir}/abuseipdb_results.json"
sleep 1 # Rate limiting
fi
done < "${output_dir}/beacon_ips.txt"
fi
echo "[+] Threat intelligence correlation complete"
}
# Update feeds and run correlation
update_threat_feeds
correlate_with_ti "$1"Integration with Other Tools
Zeek Integration
bash
# Configure Zeek to output logs in RITA-compatible format
# /opt/zeek/share/zeek/site/local.zeek
@load base/protocols/conn
@load base/protocols/dns
@load base/protocols/http
@load base/protocols/ssl
# Enable JSON output for better RITA compatibility
@load policy/tuning/json-logs.zeek
# Custom log rotation for RITA
redef Log::default_rotation_interval = 1hr;
redef Log::default_rotation_postprocessor = Log::run_rotation_postprocessor_cmd;
redef Log::rotation_postprocessor_cmd = "gzip";ELK Stack Integration
bash
# Logstash configuration for RITA results
# /etc/logstash/conf.d/rita.conf
input {
file {
path => "/var/lib/rita/reports/*/beacons.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_beacons"
}
file {
path => "/var/lib/rita/reports/*/dns.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_dns"
}
}
filter {
if [type] == "rita_beacons" {
csv {
columns => ["source", "destination", "connections", "avg_bytes", "score"]
separator => ","
}
mutate {
convert => {
"connections" => "integer"
"avg_bytes" => "integer"
"score" => "float"
}
}
}
if [type] == "rita_dns" {
csv {
columns => ["query", "source", "query_count", "unique_subdomains"]
separator => ","
}
mutate {
convert => {
"query_count" => "integer"
"unique_subdomains" => "integer"
}
}
}
}
output {
elasticsearch {
hosts => ["localhost:9200"]
index => "rita-%{type}-%{+YYYY.MM.dd}"
}
}Splunk Integration
bash
# Splunk inputs.conf for RITA data
[monitor:///var/lib/rita/reports/*/beacons.csv]
disabled = false
sourcetype = rita:beacons
index = security
[monitor:///var/lib/rita/reports/*/dns.csv]
disabled = false
sourcetype = rita:dns
index = security
# Splunk props.conf for RITA data
[rita:beacons]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = source,destination,connections,avg_bytes,score
[rita:dns]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = query,source,query_count,unique_subdomainsPerformance Optimization
Database Optimization
bash
# MongoDB optimization for RITA
# /etc/mongod.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 8 # Adjust based on available RAM
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 127.0.0.1
# Create indexes for better performance
mongo rita --eval "
db.conn.createIndex({src: 1, dst: 1});
db.dns.createIndex({query: 1, src: 1});
db.http.createIndex({src: 1, dst: 1});
"Resource Management
bash
# Optimize RITA for large datasets
export GOMAXPROCS=8 # Set to number of CPU cores
export GOGC=100 # Garbage collection percentage
# Run analysis with custom memory settings
rita analyze --threads 8 --chunk-size 500000 dataset_name
# Monitor resource usage during analysis
top -p $(pgrep rita)
iostat -x 1Troubleshooting
Common Issues
bash
# MongoDB connection issues
sudo systemctl status mongod
sudo systemctl restart mongod
# Check MongoDB logs
sudo tail -f /var/log/mongodb/mongod.log
# Test RITA configuration
rita test-config
# Check RITA logs
tail -f /var/lib/rita/logs/rita.log
# Verify Zeek log format
head -n 5 /path/to/zeek/logs/conn.logDebug Mode
bash
# Enable debug logging
rita --debug import /path/to/logs dataset_name
# Verbose analysis
rita --verbose analyze dataset_name
# Check database contents
mongo rita --eval "db.stats()"
mongo rita --eval "db.conn.count()"Performance Issues
bash
# Check database size
mongo rita --eval "db.stats().dataSize"
# Optimize database
mongo rita --eval "db.runCommand({compact: 'conn'})"
# Check system resources
free -h
df -h
iostat -x 1 5Best Practices
Data Management
- Regular cleanup: Remove old datasets to manage disk space
- Index optimization: Create appropriate MongoDB indexes
- Log rotation: Implement proper Zeek log rotation
- Backup strategy: Regular backup of RITA databases
- Monitoring: Monitor system resources during analysis
Analysis Strategy
bash
# Phased analysis approach
# Phase 1: Import and basic analysis
rita import /path/to/logs dataset_name
rita analyze dataset_name
# Phase 2: Detailed threat hunting
rita show-beacons --score-threshold 0.7 dataset_name
rita show-dns --query-length-threshold 40 dataset_name
# Phase 3: Correlation and investigation
# Correlate findings with external threat intelligence
# Investigate high-confidence indicatorsOperational Security
bash
# Secure RITA deployment
# 1. Restrict database access
sudo ufw allow from 127.0.0.1 to any port 27017
# 2. Encrypt sensitive data
# Use MongoDB encryption at rest
# 3. Secure log storage
sudo chmod 750 /var/lib/rita
sudo chown rita:rita /var/lib/rita
# 4. Regular updates
sudo apt update && sudo apt upgrade ritaResources
- RITA GitHub Repository
- RITA Documentation
- Active Countermeasures Blog
- Zeek Network Security Monitor
- MongoDB Documentation
This cheat sheet provides a comprehensive reference for using RITA. Always ensure you have proper authorization before conducting network traffic analysis and monitoring.