RITA Real Intelligence Threat Analytics aide-mémoire
Overview
RITA (Real Intelligence Threat Analytics) is an open-source framework for network Analyse de Trafic that ingests Zeek (formerly Bro) logs and detects indicators of compromise through statistical analysis. It identifies beaconing behavior, DNS tunneling, long connexions, and other suspicious network activities commonly associated with advanced persistent threats (APTs).
⚠️ Warning: This tool is intended for authorized network monitoring and security analysis only. Ensure you have proper autorisation before analyzing network traffic.
Installation
Ubuntu/Debian Installation
# Add MongoDB repository
wget -qO - https://www.mongodb.org/static/pgp/server-4.4.asc|sudo apt-clé add -
echo "deb [ arch=amd64,arm64 ] https://repo.mongodb.org/apt/ubuntu focal/mongodb-org/4.4 multiverse"|sudo tee /etc/apt/sources.list.d/mongodb-org-4.4.list
# Update package list
sudo apt update
# Install MongoDB
sudo apt install -y mongodb-org
# Start MongoDB service
sudo systemctl start mongod
sudo systemctl enable mongod
# Install RITA
wget https://github.com/activecm/rita/releases/download/v4.8.0/rita
chmod +x rita
sudo mv rita /usr/local/bin/
# Verify Installation
rita --version
Docker Installation
# Clone RITA repository
git clone https://github.com/activecm/rita.git
cd rita
# Build Docker containers
docker-compose up -d
# Run RITA in container
docker-compose exec rita rita --version
Manual Installation
# Install Go (if not already installed)
wget https://golang.org/dl/go1.19.linux-amd64.tar.gz
sudo tar -C /usr/local -xzf go1.19.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
# Clone and build RITA
git clone https://github.com/activecm/rita.git
cd rita
make install
# Copy binary to system path
sudo cp rita /usr/local/bin/
configuration
Initial Setup
# Create RITA configuration directory
sudo mkdir -p /etc/rita
# Generate default configuration
rita test-config
# Copy configuration file
sudo cp etc/rita.yaml /etc/rita/config.yaml
# Edit configuration
sudo nano /etc/rita/config.yaml
configuration File Structure
# /etc/rita/config.yaml
MongoDB:
connexionString: mongodb://localhôte:27017
authentificationMechanism: ""
socketTimeout: 2
TLS:
Enable: false
Verifycertificat: false
CAFile: ""
LogLevel: 2
LogPath: "/var/lib/rita/logs"
Rolling:
DefaultChunks: 24
Filtering:
AlwaysInclude: []
NeverInclude: []
InternalSubnets: []
UserInterface:
DefaultResultLimit: 1000
Blacklisted:
feodo.abuse.ch: true
logiciel malveillantdomainlist.com: true
BeaconSNI:
DefaultconnexionThresh: 20
DNS:
DefaultconnexionThresh: 20
Strobe:
connexionLimit: 250000
Database configuration
# Test MongoDB connexion
mongo --eval "db.runcommande(\\\\{connexionStatus : 1\\\\})"
# Create RITA database user (optional)
mongo admin --eval "
db.createUser(\\\\{
user: 'rita_user',
pwd: 'secure_mot de passe',
roles: [
\\\\{role: 'readWrite', db: 'rita'\\\\},
\\\\{role: 'readWrite', db: 'MetaDatabase'\\\\}
]
\\\\})
"
# Update config for authentification
sudo nano /etc/rita/config.yaml
# Add authentification details to MongoDB section
Basic utilisation
commande Structure
# Basic syntaxe
rita [commande] [options]
# Get help
rita --help
rita [commande] --help
# Check version
rita --version
Available commandes
| | commande | Description | |
| --- | --- |
| | import | Import Zeek logs into RITA database | |
| | analyze | Analyze imported data for threats | |
| | show-databases | List available databases | |
| | show-beacons | Display beacon analysis results | |
| | show-strobes | Display strobe analysis results | |
| | show-dns | Display DNS analysis results | |
| | show-blacklisted | Display blacklisted connexions | |
| | show-useragents | Display user agent analysis | |
| | show-long-connexions | Display long connexion analysis | |
| | delete | Delete database | |
| | test-config | Test configuration file | |
Data Import and Analysis
Importing Zeek Logs
# Import single log directory
rita import /path/to/zeek/logs dataset_name
# Import with specific time range
rita import --rolling /path/to/zeek/logs dataset_name
# Import compressed logs
rita import /path/to/zeek/logs.tar.gz dataset_name
# Import with custom chunk size
rita import --chunk-size 1000000 /path/to/zeek/logs dataset_name
# Import and analyze immediately
rita import --analyze /path/to/zeek/logs dataset_name
Running Analysis
# Analyze imported dataset
rita analyze dataset_name
# Analyze with custom paramètres
rita analyze --threads 4 dataset_name
# Analyze specific modules only
rita analyze --beacon --dns dataset_name
# Force re-analysis
rita analyze --force dataset_name
Database Management
# List all databases
rita show-databases
# Show database information
rita show-databases --details
# Delete database
rita delete dataset_name
# Delete multiple databases
rita delete dataset1 dataset2 dataset3
Threat Detection Modules
Beacon Detection
# Show beacon analysis results
rita show-beacons dataset_name
# Show top beacons with details
rita show-beacons --limit 20 dataset_name
# Show beacons for specific source
rita show-beacons --src 192.168.1.100 dataset_name
# Export beacon results to CSV
rita show-beacons --csv dataset_name > beacons.csv
# Show beacon details with human-readable format
rita show-beacons --human-readable dataset_name
DNS Analysis
# Show DNS analysis results
rita show-dns dataset_name
# Show DNS tunneling indicators
rita show-dns --limit 50 dataset_name
# Show DNS for specific domain
rita show-dns --domain suspicious.com dataset_name
# Export DNS results
rita show-dns --csv dataset_name > dns_analysis.csv
# Show DNS with subdomain analysis
rita show-dns --subdomain-analysis dataset_name
Long connexion Analysis
# Show long connexions
rita show-long-connexions dataset_name
# Show connexions longer than specific duration
rita show-long-connexions --duration 3600 dataset_name
# Show long connexions for specific hôte
rita show-long-connexions --src 192.168.1.100 dataset_name
# Export long connexions
rita show-long-connexions --csv dataset_name > long_connexions.csv
Strobe Detection
# Show strobe analysis (scan de ports)
rita show-strobes dataset_name
# Show strobes with specific threshold
rita show-strobes --limit 10 dataset_name
# Show strobes for specific source
rita show-strobes --src 192.168.1.100 dataset_name
# Export strobe results
rita show-strobes --csv dataset_name > strobes.csv
Blacklisted connexions
# Show blacklisted connexions
rita show-blacklisted dataset_name
# Show blacklisted with details
rita show-blacklisted --details dataset_name
# Show blacklisted for specific source
rita show-blacklisted --src 192.168.1.100 dataset_name
# Export blacklisted connexions
rita show-blacklisted --csv dataset_name > blacklisted.csv
User Agent Analysis
# Show user agent analysis
rita show-useragents dataset_name
# Show rare user agents
rita show-useragents --rare dataset_name
# Show user agents for specific hôte
rita show-useragents --src 192.168.1.100 dataset_name
# Export user agent analysis
rita show-useragents --csv dataset_name > useragents.csv
Advanced Analysis Techniques
Custom Filtering
# Analyze specific IP ranges
rita import --filter-internal 192.168.0.0/16,10.0.0.0/8 /path/to/logs dataset_name
# Exclude specific networks
rita import --filter-external 8.8.8.8/32 /path/to/logs dataset_name
# Custom time window analysis
rita import --start-time "2023-01-01 00:00:00" --end-time "2023-01-02 00:00:00" /path/to/logs dataset_name
chasse aux menaces Queries
# Find potential C2 beacons with high confidence
rita show-beacons --score-threshold 0.8 dataset_name
# Identify DNS tunneling attempts
rita show-dns --query-length-threshold 50 dataset_name
# Find long-duration connexions (potential persistance)
rita show-long-connexions --duration 7200 dataset_name
# Detect scan de ports activity
rita show-strobes --connexion-threshold 100 dataset_name
Cross-Dataset Analysis
# Compare multiple datasets
rita show-beacons dataset1 > beacons1.csv
rita show-beacons dataset2 > beacons2.csv
# Find common indicators across datasets
| comm -12 <(cut -d',' -f1 beacons1.csv | sort) <(cut -d',' -f1 beacons2.csv | sort) |
# Analyze trends over time
for dataset in dataset_day1 dataset_day2 dataset_day3; do
echo "=== $dataset ==="
rita show-beacons --limit 5 $dataset
done
Automation and Scripting
Automated Analysis Pipeline
#!/bin/bash
LOG_DIR="/var/log/zeek"
DATASET_PREFIX="daily_analysis"
RETENTION_DAYS=30
# Function to processus daily logs
processus_daily_logs() \\\\{
local date=$1
local dataset_name="$\\\\{DATASET_PREFIX\\\\}_$\\\\{date\\\\}"
local log_path="$\\\\{LOG_DIR\\\\}/$\\\\{date\\\\}"
if [ -d "$log_path" ]; then
echo "[+] processusing logs for $date"
# Import logs
rita import "$log_path" "$dataset_name"
# Run analysis
rita analyze "$dataset_name"
# Generate reports
generate_reports "$dataset_name" "$date"
echo "[+] Analysis complete for $date"
else
echo "[-] No logs found for $date"
fi
\\\\}
# Function to generate reports
generate_reports() \\\\{
local dataset=$1
local date=$2
local report_dir="/var/lib/rita/reports/$\\\\{date\\\\}"
mkdir -p "$report_dir"
# Generate beacon report
rita show-beacons --csv "$dataset" > "$\\\\{report_dir\\\\}/beacons.csv"
# Generate DNS report
rita show-dns --csv "$dataset" > "$\\\\{report_dir\\\\}/dns.csv"
# Generate long connexions report
rita show-long-connexions --csv "$dataset" > "$\\\\{report_dir\\\\}/long_connexions.csv"
# Generate strobe report
rita show-strobes --csv "$dataset" > "$\\\\{report_dir\\\\}/strobes.csv"
# Generate blacklisted report
rita show-blacklisted --csv "$dataset" > "$\\\\{report_dir\\\\}/blacklisted.csv"
# Create summary report
create_summary_report "$dataset" "$report_dir"
\\\\}
# Function to create summary report
create_summary_report() \\\\{
local dataset=$1
local report_dir=$2
local summary_file="$\\\\{report_dir\\\\}/summary.txt"
echo "RITA Analysis Summary for $dataset" > "$summary_file"
echo "Generated: $(date)" >> "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"
# Count findings
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
local dns_count=$(rita show-dns "$dataset"|wc -l)
local long_conn_count=$(rita show-long-connexions "$dataset"|wc -l)
local strobe_count=$(rita show-strobes "$dataset"|wc -l)
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
echo "Findings Summary:" >> "$summary_file"
echo "- Beacons: $beacon_count" >> "$summary_file"
echo "- DNS Anomalies: $dns_count" >> "$summary_file"
echo "- Long connexions: $long_conn_count" >> "$summary_file"
echo "- Strobes: $strobe_count" >> "$summary_file"
echo "- Blacklisted: $blacklisted_count" >> "$summary_file"
echo "" >> "$summary_file"
# Top findings
echo "Top 5 Beacons:" >> "$summary_file"
rita show-beacons --limit 5 "$dataset" >> "$summary_file"
echo "" >> "$summary_file"
echo "Top 5 DNS Anomalies:" >> "$summary_file"
rita show-dns --limit 5 "$dataset" >> "$summary_file"
\\\\}
# Cleanup old datasets
cleanup_old_datasets() \\\\{
local cutoff_date=$(date -d "$RETENTION_DAYS days ago" +%Y-%m-%d)
| rita show-databases | grep "$DATASET_PREFIX" | while read dataset; do |
local dataset_date=$(echo "$dataset"|sed "s/$\\\\{DATASET_PREFIX\\\\}_//")
if [[ "$dataset_date" ``< "$cutoff_date" ]]; then
echo "[+] Deleting old dataset: $dataset"
rita delete "$dataset"
fi
done
\\\}
# Main execution
DATE=$\\\{1:-$(date -d "yesterday" +%Y-%m-%d)\\\}
processus_daily_logs "$DATE"
cleanup_old_datasets
Real-time Monitoring Script
#!/bin/bash
ZEEK_LOG_DIR="/opt/zeek/logs/current"
RITA_DATASET="realtime_$(date +%Y%m%d_%H%M%S)"
CHECK_INTERVAL=300 # 5 minutes
ALERT_THRESHOLD_BEACONS=10
ALERT_THRESHOLD_DNS=20
# Function to check for new threats
check_threats() \\\{
local dataset=$1
# Check beacon count
local beacon_count=$(rita show-beacons "$dataset"|wc -l)
if [ "$beacon_count" -gt "$ALERT_THRESHOLD_BEACONS" ]; then
send_alert "High beacon activity detected: $beacon_count beacons found"
rita show-beacons --limit 10 "$dataset"|mail -s "RITA Alert: Beacon Activity" security@company.com
fi
# Check DNS anomalies
local dns_count=$(rita show-dns "$dataset"|wc -l)
if [ "$dns_count" -gt "$ALERT_THRESHOLD_DNS" ]; then
send_alert "High DNS anomaly activity: $dns_count anomalies found"
rita show-dns --limit 10 "$dataset"|mail -s "RITA Alert: DNS Anomalies" security@company.com
fi
# Check for blacklisted connexions
local blacklisted_count=$(rita show-blacklisted "$dataset"|wc -l)
if [ "$blacklisted_count" -gt 0 ]; then
send_alert "Blacklisted connexions detected: $blacklisted_count connexions"
rita show-blacklisted "$dataset"|mail -s "RITA Alert: Blacklisted connexions" security@company.com
fi
\\\}
# Function to send alerts
send_alert() \\\{
local message=$1
echo "[ALERT] $(date): $message"
logger "RITA_ALERT: $message"
# Send to SIEM or alerting system
curl -X POST -H "Content-Type: application/json" \
-d "\\\{\"alert\":\"$message\",\"timestamp\":\"$(date -Iseconds)\"\\\}" \
http://siem.company.com/api/alerts
\\\}
# Main monitoring loop
echo "[+] Starting RITA real-time monitoring"
echo "[+] Dataset: $RITA_DATASET"
echo "[+] Check interval: $CHECK_INTERVAL seconds"
while true; do
echo "[+] $(date): Importing latest logs..."
# Import latest logs
rita import "$ZEEK_LOG_DIR" "$RITA_DATASET"
# Run analysis
rita analyze "$RITA_DATASET"
# Check for threats
check_threats "$RITA_DATASET"
echo "[+] $(date): Check complete, sleeping for $CHECK_INTERVAL seconds"
sleep "$CHECK_INTERVAL"
done
Renseignement sur les Menaces Integration
#!/bin/bash
# Function to update Renseignement sur les Menaces feeds
update_threat_feeds() \\\{
local config_file="/etc/rita/config.yaml"
local temp_config="/tmp/rita_config_temp.yaml"
echo "[+] Updating Renseignement sur les Menaces feeds..."
# Download latest IOCs
wget -q -O /tmp/feodo_tracker.txt "https://feodotracker.abuse.ch/downloads/ipblocklist.txt"
wget -q -O /tmp/logiciel malveillant_domains.txt "http://www.logiciel malveillantdomainlist.com/hôteslist/hôtes.txt"
# Update RITA configuration with new feeds
cp "$config_file" "$temp_config"
# Add new blacklisted domains/IPs
python3 << EOF
import yaml
import requests
# Load current config
with open('$temp_config', 'r') as f:
config = yaml.safe_load(f)
# Update blacklisted section
if 'Blacklisted' not in config:
config['Blacklisted'] = \\\{\\\}
# Add Feodo tracker IPs
with open('/tmp/feodo_tracker.txt', 'r') as f:
for line in f:
ip = line.strip()
if ip and not ip.startswith('#'):
config['Blacklisted'][ip] = True
# Save updated config
with open('$temp_config', 'w') as f:
yaml.dump(config, f, default_flow_style=False)
EOF
# Backup original and update
cp "$config_file" "$\\\{config_file\\\}.backup.$(date +%Y%m%d)"
sudo cp "$temp_config" "$config_file"
echo "[+] Renseignement sur les Menaces feeds updated"
\\\}
# Function to correlate with external Renseignement sur les Menaces
correlate_with_ti() \\\{
local dataset=$1
local output_dir="/var/lib/rita/ti_correlation"
mkdir -p "$output_dir"
# Extract unique IPs from RITA results
| rita show-beacons --csv "$dataset" | cut -d',' -f2 | sort -u >`` "$\\\\{output_dir\\\\}/beacon_ips.txt" |
| rita show-dns --csv "$dataset" | cut -d',' -f2 | sort -u > "$\\\\{output_dir\\\\}/dns_domains.txt" |
# Check against VirusTotal (requires API clé)
if [ ! -z "$VT_API_clé" ]; then
echo "[+] Checking IPs against VirusTotal..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "x-apiclé: $VT_API_clé" \
"https://www.virustotal.com/vtapi/v2/ip-address/report?apiclé=$VT_API_clé&ip;=$ip" \
>> "$\\\\{output_dir\\\\}/vt_ip_results.json"
sleep 1 # Rate limiting
fi
done < "$\\\\{output_dir\\\\}/beacon_ips.txt"
fi
# Check against AbuseIPDB (requires API clé)
if [ ! -z "$ABUSEIPDB_API_clé" ]; then
echo "[+] Checking IPs against AbuseIPDB..."
while read ip; do
if [ ! -z "$ip" ]; then
curl -s -H "clé: $ABUSEIPDB_API_clé" \
-H "Accept: application/json" \
"https://api.abuseipdb.com/api/v2/check?ipAddress=$ip&maxAgeInDays;=90" \
>> "$\\\\{output_dir\\\\}/abuseipdb_results.json"
sleep 1 # Rate limiting
fi
done ``< "$\\\{output_dir\\\}/beacon_ips.txt"
fi
echo "[+] Renseignement sur les Menaces correlation complete"
\\\}
# Update feeds and run correlation
update_threat_feeds
correlate_with_ti "$1"
Integration with Other Tools
Zeek Integration
# Configure Zeek to output logs in RITA-compatible format
# /opt/zeek/share/zeek/site/local.zeek
@load base/protocoles/conn
@load base/protocoles/dns
@load base/protocoles/http
@load base/protocoles/ssl
# Enable JSON output for better RITA compatibility
@load policy/tuning/json-logs.zeek
# Custom log rotation for RITA
redef Log::default_rotation_interval = 1hr;
redef Log::default_rotation_postprocessusor = Log::run_rotation_postprocessusor_cmd;
redef Log::rotation_postprocessusor_cmd = "gzip";
ELK Stack Integration
# Logstash configuration for RITA results
# /etc/logstash/conf.d/rita.conf
input \\\{
file \\\{
path =>`` "/var/lib/rita/reports/*/beacons.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_beacons"
\\\\}
file \\\\{
path => "/var/lib/rita/reports/*/dns.csv"
start_position => "beginning"
sincedb_path => "/dev/null"
codec => "plain"
type => "rita_dns"
\\\\}
\\\\}
filter \\\\{
if [type] == "rita_beacons" \\\\{
csv \\\\{
columns => ["source", "destination", "connexions", "avg_bytes", "score"]
separator => ","
\\\\}
mutate \\\\{
convert => \\\\{
"connexions" => "integer"
"avg_bytes" => "integer"
"score" => "float"
\\\\}
\\\\}
\\\\}
if [type] == "rita_dns" \\\\{
csv \\\\{
columns => ["query", "source", "query_count", "unique_subdomains"]
separator => ","
\\\\}
mutate \\\\{
convert => \\\\{
"query_count" => "integer"
"unique_subdomains" => "integer"
\\\\}
\\\\}
\\\\}
\\\\}
output \\\\{
elasticsearch \\\\{
hôtes => ["localhôte:9200"]
index => "rita-%\\\\{type\\\\}-%\\\\{+YYYY.MM.dd\\\\}"
\\\\}
\\\\}
Splunk Integration
# Splunk inputs.conf for RITA data
[monitor:///var/lib/rita/reports/*/beacons.csv]
disabled = false
sourcetype = rita:beacons
index = security
[monitor:///var/lib/rita/reports/*/dns.csv]
disabled = false
sourcetype = rita:dns
index = security
# Splunk props.conf for RITA data
[rita:beacons]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = source,destination,connexions,avg_bytes,score
[rita:dns]
SHOULD_LINEMERGE = false
FIELD_DELIMITER = ,
FIELD_NAMES = query,source,query_count,unique_subdomains
Performance Optimization
Database Optimization
# MongoDB optimization for RITA
# /etc/mongod.conf
storage:
dbPath: /var/lib/mongodb
journal:
enabled: true
wiredTiger:
engineConfig:
cacheSizeGB: 8 # Adjust based on available RAM
systemLog:
destination: file
logAppend: true
path: /var/log/mongodb/mongod.log
net:
port: 27017
bindIp: 127.0.0.1
# Create indexes for better performance
mongo rita --eval "
db.conn.createIndex(\\\\{src: 1, dst: 1\\\\});
db.dns.createIndex(\\\\{query: 1, src: 1\\\\});
db.http.createIndex(\\\\{src: 1, dst: 1\\\\});
"
Resource Management
# Optimize RITA for large datasets
export GOMAXPROCS=8 # Set to number of CPU cores
export GOGC=100 # Garbage collection percentage
# Run analysis with custom memory settings
rita analyze --threads 8 --chunk-size 500000 dataset_name
# Monitor resource utilisation during analysis
top -p $(pgrep rita)
iostat -x 1
dépannage
Common Issues
# MongoDB connexion issues
sudo systemctl status mongod
sudo systemctl restart mongod
# Check MongoDB logs
sudo tail -f /var/log/mongodb/mongod.log
# Test RITA configuration
rita test-config
# Check RITA logs
tail -f /var/lib/rita/logs/rita.log
# Verify Zeek log format
head -n 5 /path/to/zeek/logs/conn.log
Debug Mode
# Enable debug logging
rita --debug import /path/to/logs dataset_name
# Verbose analysis
rita --verbose analyze dataset_name
# Check database contents
mongo rita --eval "db.stats()"
mongo rita --eval "db.conn.count()"
Performance Issues
# Check database size
mongo rita --eval "db.stats().dataSize"
# Optimize database
mongo rita --eval "db.runcommande(\\\\{compact: 'conn'\\\\})"
# Check system resources
free -h
df -h
iostat -x 1 5
Best Practices
Data Management
- Regular cleanup: Remove old datasets to manage disk space
- Index optimization: Create appropriate MongoDB indexes
- Log rotation: Implement proper Zeek log rotation
- Backup strategy: Regular backup of RITA databases
- Monitoring: Monitor system resources during analysis
Analysis Strategy
# Phased analysis approach
# Phase 1: Import and basic analysis
rita import /path/to/logs dataset_name
rita analyze dataset_name
# Phase 2: Detailed chasse aux menaces
rita show-beacons --score-threshold 0.7 dataset_name
rita show-dns --query-length-threshold 40 dataset_name
# Phase 3: Correlation and investigation
# Correlate findings with external Renseignement sur les Menaces
# Investigate high-confidence indicators
Operational Security
# Secure RITA deployment
# 1. Restrict database access
sudo ufw allow from 127.0.0.1 to any port 27017
# 2. Encrypt sensitive data
# Use MongoDB chiffrement at rest
# 3. Secure log storage
sudo chmod 750 /var/lib/rita
sudo chown rita:rita /var/lib/rita
# 4. Regular updates
sudo apt update && sudo apt upgrade rita
Resources
- RITA GitHub Repository
- RITA documentation
- Active Countermeasures Blog
- Zeek Network Security Monitor
- MongoDB documentation
This aide-mémoire provides a comprehensive reference for using RITA. Always ensure you have proper autorisation before conducting network Analyse de Trafic and monitoring.