RITA Real Intelligence Threat Analytics hoja de trucos
Overview
RITA (Real Intelligence Threat Analytics) is an open-source framework for network Análisis de Tráfico that ingests Zeek (formerly Bro) logs and detects indicators of compromise through statistical analysis. It identifies beaconing behavior, DNS tunneling, long conexións, and other suspicious network activities commonly associated with advanced persistent threats (APTs).
⚠️ Warning: This tool is intended for authorized network monitoring and security analysis only. Ensure you have proper autorización before analyzing network traffic.
instalación
Ubuntu/Debian instalación
# Add MongoDB repository
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc|sudo apt-clave add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse"|sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
# Update package list
sudo apt update
# Install MongoDB
sudo apt install -y mongodb-org
# Start MongoDB servicio
sudo systemctl start mongod
sudo systemctl enable mongod
# Install RITA
wget https://github.com/activecm/rita/releases/download/v4.8.0/rita
chmod +x rita
sudo mv rita /usr/local/bin/
# Verify instalación
rita --version
Docker instalación
# Clone RITA repository
git clone https://github.com/activecm/rita.git
cd rita
# Build Docker containers
docker-compose up -d
# Run RITA in container
docker-compose exec rita rita --version
Manual instalación
# Install Go (if not already installed)
wget https://golang.org/dl/go1.19.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
expuerto PATH=$PATH:/usr/local/go/bin
# Clone and build RITA
git clone https://github.com/activecm/rita.git
cd rita
make install
# Copy binary to system path
sudo cp rita /usr/local/bin/
configuración
Initial Setup
# Create RITA configuración directory
sudo mkdir -p /etc/rita
# Generate default configuración
rita test-config
# Copy configuración file
sudo cp etc/rita.yaml /etc/rita/config.yaml
# Edit configuración
sudo nano /etc/rita/config.yaml
configuración File Structure
# /etc/rita/config.yaml
MongoDB:
conexiónString: mongodb://localhost:27017
autenticaciónMechanism: ""
socketTimeout: 2
TLS:
Enable: false
Verifycertificado: false
CAFile: ""
LogLevel: 2
LogPath: "/var/lib/rita/logs"
Rolling:
DefaultChunks: 24
Filtering:
AlwaysInclude: []
NeverInclude: []
InternalSubnets: []
UserInterface:
DefaultResultLimit: 1000
Blacklisted:
feodo.abuse.ch: true
malwaredomainlist.com: true
BeaconSNI:
DefaultconexiónThresh: 20
DNS:
DefaultconexiónThresh: 20
Strobe:
conexiónLimit: 250000
Database configuración
# Test MongoDB conexión
mongo --eval "db.runcomando(\\\\{conexiónStatus : 1\\\\})"
# Create RITA database user (opciónal)
mongo admin --eval "
db.createUser(\\\\{
user: 'rita_user',
pwd: 'secure_contraseña',
roles: [
\\\\{role: 'readWrite', db: 'rita'\\\\},
\\\\{role: 'readWrite', db: 'MetaDatabase'\\\\}
]
\\\\})
"
# Update config for autenticación
sudo nano /etc/rita/config.yaml
# Add autenticación details to MongoDB section
Basic uso
comando Structure
# Basic sintaxis
rita [comando] [opcións]
# Get help
rita --help
rita [comando] --help
# Check version
rita --version
Available comandos
| | comando | Descripción | |
| --- | --- |
| | impuerto | Impuerto Zeek logs into RITA database | |
| | analyze | Analyze impuertoed data for threats | |
| | show-databases | List available databases | |
| | show-beacons | Display beacon analysis results | |
| | show-strobes | Display strobe analysis results | |
| | show-dns | Display DNS analysis results | |
| | show-blacklisted | Display blacklisted conexións | |
| | show-useragents | Display user agent analysis | |
| | show-long-conexións | Display long conexión analysis | |
| | delete | Delete database | |
| | test-config | Test configuración file | |
Data Impuerto and Analysis
Impuertoing Zeek Logs
# Impuerto single log directory
rita impuerto /path/to/zeek/logs dataset_name
# Impuerto with specific time range
rita impuerto --rolling /path/to/zeek/logs dataset_name
# Impuerto compressed logs
rita impuerto /path/to/zeek/logs.tar.gz dataset_name
# Impuerto with custom chunk size
rita impuerto --chunk-size 1000000 /path/to/zeek/logs dataset_name
# Impuerto and analyze immediately
rita impuerto --analyze /path/to/zeek/logs dataset_name
Running Analysis
# Analyze impuertoed dataset
rita analyze dataset_name
# Analyze with custom parámetros
rita analyze --hilos 4 dataset_name
# Analyze specific modules only
rita analyze --beacon --dns dataset_name
# Force re-analysis
rita analyze --force dataset_name
Database Management
# List all databases
rita show-databases
# Show database information
rita show-databases --details
# Delete database
rita delete dataset_name
# Delete multiple databases
rita delete dataset1 dataset2 dataset3
Threat Detection Modules
Beacon Detection
# Show beacon analysis results
rita show-beacons dataset_name
# Show top beacons with details
rita show-beacons --limit 20 dataset_name
# Show beacons for specific source
rita show-beacons --src 192.168.1.100 dataset_name
# Expuerto beacon results to CSV
rita show-beacons --csv dataset_name > beacons.csv
# Show beacon details with human-readable format
rita show-beacons --human-readable dataset_name
DNS Analysis
# Show DNS analysis results
rita show-dns dataset_name
# Show DNS tunneling indicators
rita show-dns --limit 50 dataset_name
# Show DNS for specific domain
rita show-dns --domain suspicious.com dataset_name
# Expuerto DNS results
rita show-dns --csv dataset_name > dns_analysis.csv
# Show DNS with subdomain analysis
rita show-dns --subdomain-analysis dataset_name
Long conexión Analysis
# Show long conexións
rita show-long-conexións dataset_name
# Show conexións longer than specific duration
rita show-long-conexións --duration 3600 dataset_name
# Show long conexións for specific host
rita show-long-conexións --src 192.168.1.100 dataset_name
# Expuerto long conexións
rita show-long-conexións --csv dataset_name > long_conexións.csv
Strobe Detection
# Show strobe analysis (escaneo de puertos)
rita show-strobes dataset_name
# Show strobes with specific threshold
rita show-strobes --limit 10 dataset_name
# Show strobes for specific source
rita show-strobes --src 192.168.1.100 dataset_name
# Expuerto strobe results
rita show-strobes --csv dataset_name > strobes.csv
Blacklisted conexións
# Show blacklisted conexións
rita show-blacklisted dataset_name
# Show blacklisted with details
rita show-blacklisted --details dataset_name
# Show blacklisted for specific source
rita show-blacklisted --src 192.168.1.100 dataset_name
# Expuerto blacklisted conexións
rita show-blacklisted --csv dataset_name > blacklisted.csv
User Agent Analysis
# Show user agent analysis
rita show-useragents dataset_name
# Show rare user agents
rita show-useragents --rare dataset_name
# Show user agents for specific host
rita show-useragents --src 192.168.1.100 dataset_name
# Expuerto user agent analysis
rita show-useragents --csv dataset_name > useragents.csv
Advanced Analysis Techniques
Custom Filtering
# Analyze specific IP ranges
rita impuerto --filter-internal 192.168.0.0/16,10.0.0.0/8 /path/to/logs dataset_name
# Exclude specific networks
rita impuerto --filter-external 8.8.8.8/32 /path/to/logs dataset_name
# Custom time window analysis
rita impuerto --start-time "2023-01-01 00:00:00" --end-time "2023-01-02 00:00:00" /path/to/logs dataset_name
caza de amenazas Queries
# Find potential C2 beacons with high confidence
rita show-beacons --score-threshold 0.8 dataset_name
# Identify DNS tunneling attempts
rita show-dns --query-length-threshold 50 dataset_name
# Find long-duration conexións (potential persistencia)
rita show-long-conexións --duration 7200 dataset_name
# Detect escaneo de puertos activity
rita show-strobes --conexión-threshold 100 dataset_name
Cross-Dataset Analysis
# Compare multiple datasets
rita show-beacons dataset1 > beacons1.csv
rita show-beacons dataset2 > beacons2.csv
# Find common indicators across datasets
| comm -12 <(cut -d',' -f1 beacons1.csv | sort) <(cut -d',' -f1 beacons2.csv | sort) |
# Analyze trends over time
for dataset in dataset_day1 dataset_day2 dataset_day3; do
echo "=== $dataset ==="
rita show-beacons --limit 5 $dataset
done
Automation and Scripting
Automated Analysis Pipeline
#!/bin/bash
LOG_DIR="/var/log/zeek"
DATASET_PREFIX="daily_analysis"
RETENTION_DAYS=30
# Function to proceso daily logs
proceso_daily_logs() \\\\{
local date=$1
local dataset_name="$\\\\{DATASET_PREFIX\\\\}_$\\\\{date\\\\}"
local log_path="$\\\\{LOG_DIR\\\\}/$\\\\{date\\\\}"
if [ -d "$log_path" ]; then
echo "[+] procesoing logs for $date"
# Impuerto logs
rita impuerto "$log_path" "$dataset_name"
# Run analysis
rita analyze "$dataset_name"
# Generate repuertos
generate_repuertos "$dataset_name" "$date"
echo "[+] Analysis complete for $date"
else
echo "[-] No logs found for $date"
fi
\\\\}
# Function to generate repuertos
generate_repuertos() \\\\{
local dataset=$1
local date=$2
local repuerto_dir="/var/lib/rita/repuertos/$\\\\{date\\\\}"
mkdir -p "$repuerto_dir"
# Generate beacon repuerto
rita show-beacons --csv "$dataset" > "$\\\\{repuerto_dir\\\\}/beacons.csv"
# Generate DNS repuerto
rita show-dns --csv "$dataset" > "$\\\\{repuerto_dir\\\\}/dns.csv"
# Generate long conexións repuerto
rita show-long-conexións --csv "$dataset" > "$\\\\{repuerto_dir\\\\}/long_conexións.csv"
# Generate strobe repuerto
rita show-strobes --csv "$dataset" > "$\\\\{repuerto_dir\\\\}/strobes.csv"
# Generate blacklisted repuerto
rita show-blacklisted --csv "$dataset" > "$\\\\{repuerto_dir\\\\}/blacklisted.csv"
# Create summary repuerto
create_summary_repuerto "$dataset" "$repuerto_dir"
\\\\}
# Function to create summary repuerto
create_summary_repuerto() \\\\{
local dataset=$1
local repuerto_dir=$2
local summary_file="$\\\\{repuerto_dir\\\\}/summary.txt"
echo "RITA Analysis Summary for $dataset" > "$summary_file"
echo "Generated: $(date)" >> "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"
# Count findings
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
local dns_count=$(rita show-dns "$dataset"|wc -l)
local long_conn_count=$(rita show-long-conexións "$dataset"|wc -l)
local strobe_count=$(rita show-strobes "$dataset"|wc -l)
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
echo "Findings Summary:" >> "$summary_file"
echo "- Beacons: $beacon_count" >> "$summary_file"
echo "- DNS Anomalies: $dns_count" >> "$summary_file"
echo "- Long conexións: $long_conn_count" >> "$summary_file"
echo "- Strobes: $strobe_count" >> "$summary_file"
echo "- Blacklisted: $blacklisted_count" >> "$summary_file"
echo "" >> "$summary_file"
# Top findings
echo "Top 5 Beacons:" >> "$summary_file"
rita show-beacons --limit 5 "$dataset" >> "$summary_file"
echo "" >> "$summary_file"
echo "Top 5 DNS Anomalies:" >> "$summary_file"
rita show-dns --limit 5 "$dataset" >> "$summary_file"
\\\\}
# Cleanup old datasets
cleanup_old_datasets() \\\\{
local cutoff_date=$(date -d "$RETENTION_DAYS days ago" +%Y-%m-%d)
| rita show-databases | grep "$DATASET_PREFIX" | while read dataset; do |
local dataset_date=$(echo "$dataset"|sed "s/$\\\\{DATASET_PREFIX\\\\}_//")
if [[ "$dataset_date" ``< "$cutoff_date" ]]; then
echo "[+] Deleting old dataset: $dataset"
rita delete "$dataset"
fi
done
\\\}
# Main execution
DATE=$\\\{1:-$(date -d "yesterday" +%Y-%m-%d)\\\}
proceso_daily_logs "$DATE"
cleanup_old_datasets
Real-time Monitoring Script
#!/bin/bash
ZEEK_LOG_DIR="/opt/zeek/logs/current"
RITA_DATASET="realtime_$(date +%Y%m%d_%H%M%S)"
CHECK_INTERVAL=300 # 5 minutes
ALERT_THRESHOLD_BEACONS=10
ALERT_THRESHOLD_DNS=20
# Function to check for new threats
check_threats() \\\{
local dataset=$1
# Check beacon count
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
if [ "$beacon_count" -gt "$ALERT_THRESHOLD_BEACONS" ]; then
send_alert "High beacon activity detected: $beacon_count beacons found"
rita show-beacons --limit 10 "$dataset"|mail -s "RITA Alert: Beacon Activity" security@company.com
fi
# Check DNS anomalies
local dns_count=$(rita show-dns "$dataset"|wc -l)
if [ "$dns_count" -gt "$ALERT_THRESHOLD_DNS" ]; then
send_alert "High DNS anomaly activity: $dns_count anomalies found"
rita show-dns --limit 10 "$dataset"|mail -s "RITA Alert: DNS Anomalies" security@company.com
fi
# Check for blacklisted conexións
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
if [ "$blacklisted_count" -gt 0 ]; then
send_alert "Blacklisted conexións detected: $blacklisted_count conexións"
rita show-blacklisted "$dataset"|mail -s "RITA Alert: Blacklisted conexións" security@company.com
fi
\\\}
# Function to send alerts
send_alert() \\\{
local message=$1
echo "[ALERT] $(date): $message"
logger "RITA_ALERT: $message"
# Send to SIEM or alerting system
curl -X POST -H "Content-Type: application/json" \
-d "\\\{\"alert\":\"$message\",\"timestamp\":\"$(date -Iseconds)\"\\\}" \
http://siem.company.com/api/alerts
\\\}
# Main monitoring loop
echo "[+] Starting RITA real-time monitoring"
echo "[+] Dataset: $RITA_DATASET"
echo "[+] Check interval: $CHECK_INTERVAL seconds"
while true; do
echo "[+] $(date): Impuertoing latest logs..."
# Impuerto latest logs
rita impuerto "$ZEEK_LOG_DIR" "$RITA_DATASET"
# Run analysis
rita analyze "$RITA_DATASET"
# Check for threats
check_threats "$RITA_DATASET"
echo "[+] $(date): Check complete, sleeping for $CHECK_INTERVAL seconds"
sleep "$CHECK_INTERVAL"
done
Inteligencia de Amenazas Integration
#!/bin/bash
# Function to update Inteligencia de Amenazas feeds
update_threat_feeds() \\\{
local config_file="/etc/rita/config.yaml"
local temp_config="/tmp/rita_config_temp.yaml"
echo "[+] Updating Inteligencia de Amenazas feeds..."
# Download latest IOCs
wget -q -O /tmp/feodo_tracker.txt "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
wget -q -O /tmp/malware_domains.txt "http://www.malwaredomainlist.com/hostslist/hosts.txt"
# Update RITA configuración with new feeds
cp "$config_file" "$temp_config"
# Add new blacklisted domains/IPs
python3 << EOF
impuerto yaml
impuerto requests
# Load current config
with open('$temp_config', 'r') as f:
config = yaml.safe_load(f)
# Update blacklisted section
if 'Blacklisted' not in config:
config['Blacklisted'] = \\\{\\\}
# Add Feodo tracker IPs
with open('/tmp/feodo_tracker.txt', 'r') as f:
for line in f:
ip = line.strip()
if ip and not ip.startswith('#'):
config['Blacklisted'][ip] = True
# Save updated config
with open('$temp_config', 'w') as f:
yaml.dump(config, f, default_flow_style=False)
EOF
# Backup original and update
cp "$config_file" "$\\\{config_file\\\}.backup.$(date +%Y%m%d)"
sudo cp "$temp_config" "$config_file"
echo "[+] Inteligencia de Amenazas feeds updated"
\\\}
# Function to correlate with external Inteligencia de Amenazas
correlate_with_ti() \\\{
local dataset=$1
local output_dir="/var/lib/rita/ti_correlation"
mkdir -p "$output_dir"
# Extract unique IPs from RITA results
| rita show-beacons --csv "$dataset" | cut -d',' -f2 | sort -u >`` "$\\\\{output_dir\\\\}/beacon_ips.txt" |
| rita show-dns --csv "$dataset" | cut -d',' -f2 | sort -u > "$\\\\{output_dir\\\\}/dns_domains.txt" |
# Check against VirusTotal (requires API clave)
if [ ! -z "$VT_API_clave" ]; then
echo "[+] Checking IPs against VirusTotal..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "x-apiclave: $VT_API_clave" \
"https://www.virustotal.com/vtapi/v2/ip-address/repuerto?apiclave=$VT_API_clave&ip;=$ip" \
>> "$\\\\{output_dir\\\\}/vt_ip_results.json"
sleep 1 # Rate limiting
fi
done < "$\\\\{output_dir\\\\}/beacon_ips.txt"
fi
# Check against AbuseIPDB (requires API clave)
if [ ! -z "$ABUSEIPDB_API_clave" ]; then
echo "[+] Checking IPs against AbuseIPDB..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "clave: $ABUSEIPDB_API_clave" \
-H "Accept: application/json" \
"https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays;=90" \
>> "$\\\\{output_dir\\\\}/abuseipdb_results.json"
sleep 1 # Rate limiting
fi
done ``< "$\\\{output_dir\\\}/beacon_ips.txt"
fi
echo "[+] Inteligencia de Amenazas correlation complete"
\\\}
# Update feeds and run correlation
update_threat_feeds
correlate_with_ti "$1"
Integration with Other Tools
Zeek Integration
# Configure Zeek to output logs in RITA-compatible format
# /opt/zeek/share/zeek/site/local.zeek
@load base/protocolos/conn
@load base/protocolos/dns
@load base/protocolos/http
@load base/protocolos/ssl
# Enable JSON output for better RITA compatibility
@load policy/tuning/json-logs.zeek
# Custom log rotation for RITA
redef Log::default_rotation_interval = 1hr;
redef Log::default_rotation_postprocesoor = Log::run_rotation_postprocesoor_cmd;
redef Log::rotation_postprocesoor_cmd = "gzip";
ELK Stack Integration
# Logstash configuración for RITA results
# /etc/logstash/conf.d/rita.conf
input \\\{
file \\\{
path =>`` "/var/lib/rita/repuertos/*/beacons.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_beacons"
\\\\}
file \\\\{
path => "/var/lib/rita/repuertos/*/dns.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_dns"
\\\\}
\\\\}
filter \\\\{
if [type] == "rita_beacons" \\\\{
csv \\\\{
columns => ["source", "destination", "conexións", "avg_bytes", "score"]
separator => ","
\\\\}
mutate \\\\{
convert => \\\\{
"conexións" => "integer"
"avg_bytes" => "integer"
"score" => "float"
\\\\}
\\\\}
\\\\}
if [type] == "rita_dns" \\\\{
csv \\\\{
columns => ["query", "source", "query_count", "unique_subdomains"]
separator => ","
\\\\}
mutate \\\\{
convert => \\\\{
"query_count" => "integer"
"unique_subdomains" => "integer"
\\\\}
\\\\}
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hosts => ["localhost:9200"]
index => "rita-%\\\\{type\\\\}-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
Splunk Integration
# Splunk inputs.conf for RITA data
[monitor:///var/lib/rita/repuertos/*/beacons.csv]
disabled = false
sourcetype = rita:beacons
index = security
[monitor:///var/lib/rita/repuertos/*/dns.csv]
disabled = false
sourcetype = rita:dns
index = security
# Splunk props.conf for RITA data
[rita:beacons]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = source,destination,conexións,avg_bytes,score
[rita:dns]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = query,source,query_count,unique_subdomains
Performance Optimization
Database Optimization
# MongoDB optimization for RITA
# /etc/mongod.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 8 # Adjust based on available RAM
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
puerto: 27017
bindIp: 127.0.0.1
# Create indexes for better performance
mongo rita --eval "
db.conn.createIndex(\\\\{src: 1, dst: 1\\\\});
db.dns.createIndex(\\\\{query: 1, src: 1\\\\});
db.http.createIndex(\\\\{src: 1, dst: 1\\\\});
"
Resource Management
# Optimize RITA for large datasets
expuerto GOMAXPROCS=8 # Set to number of CPU cores
expuerto GOGC=100 # Garbage collection percentage
# Run analysis with custom memory settings
rita analyze --hilos 8 --chunk-size 500000 dataset_name
# Monitor resource uso during analysis
top -p $(pgrep rita)
iostat -x 1
solución de problemas
Common Issues
# MongoDB conexión issues
sudo systemctl status mongod
sudo systemctl restart mongod
# Check MongoDB logs
sudo tail -f /var/log/mongodb/mongod.log
# Test RITA configuración
rita test-config
# Check RITA logs
tail -f /var/lib/rita/logs/rita.log
# Verify Zeek log format
head -n 5 /path/to/zeek/logs/conn.log
Debug Mode
# Enable debug logging
rita --debug impuerto /path/to/logs dataset_name
# Verbose analysis
rita --verbose analyze dataset_name
# Check database contents
mongo rita --eval "db.stats()"
mongo rita --eval "db.conn.count()"
Performance Issues
# Check database size
mongo rita --eval "db.stats().dataSize"
# Optimize database
mongo rita --eval "db.runcomando(\\\\{compact: 'conn'\\\\})"
# Check system resources
free -h
df -h
iostat -x 1 5
Best Practices
Data Management
- Regular cleanup: Remove old datasets to manage disk space
- Index optimization: Create appropriate MongoDB indexes
- Log rotation: Implement proper Zeek log rotation
- Backup strategy: Regular backup of RITA databases
- Monitoring: Monitor system resources during analysis
Analysis Strategy
# Phased analysis approach
# Phase 1: Impuerto and basic analysis
rita impuerto /path/to/logs dataset_name
rita analyze dataset_name
# Phase 2: Detailed caza de amenazas
rita show-beacons --score-threshold 0.7 dataset_name
rita show-dns --query-length-threshold 40 dataset_name
# Phase 3: Correlation and investigation
# Correlate findings with external Inteligencia de Amenazas
# Investigate high-confidence indicators
Operational Security
# Secure RITA deployment
# 1. Restrict database access
sudo ufw allow from 127.0.0.1 to any puerto 27017
# 2. Encrypt sensitive data
# Use MongoDB cifrado at rest
# 3. Secure log storage
sudo chmod 750 /var/lib/rita
sudo chown rita:rita /var/lib/rita
# 4. Regular updates
sudo apt update && sudo apt upgrade rita
Resources
- RITA GitHub Repository
- RITA documentación
- Active Countermeasures Blog
- Zeek Network Security Monitor
- MongoDB documentación
This hoja de trucos provides a comprehensive reference for using RITA. Always ensure you have proper autorización before conducting network Análisis de Tráfico and monitoring.