Real Intelligence Threat Analytics (RITA) is a framework developed by the Black Hills and currently sponsored by Activecountermeasures. RITA plays an important role in detecting command and control communication through network traffic analysis. Mainly aimed at helping organizations find malicious activity on their network. At the same time, it does not detect malicious activity through signatures, but mainly through statistical analysis.
This framework ingests with Zeek Logs in TSV format, and currently supports the following major features:
● Beaconing Detection: Search for signs of beaconing behavior in and out of your network.
● DNS Tunneling Detection: Search for signs of DNS-based covert channels.
● Blacklist Checking: Query blacklists to search for suspicious domains and hosts.
● URL Length Analysis: Search for lengthy URLs indicative of malware.
● Scanning Detection: Search for signs of port scans in your network.
● Download the latest install.sh file from the Release page.
● Make the installer executable: chmod +x ./install.sh
● Run the installer: sudo ./install.sh
● Start MongoDB: sudo service mongod start.
On other hand, Installing Zeek is recommended. RITA needs Zeek logs as input so if you already have Zeek or its logs you can skip installing Zeek.
Obtaining Data (Generating Zeek Logs):
Option 1: Generate PCAPs outside of Zeek.
● (Optional) Merge multiple PCAP files into one PCAP file.
mergecap -w outFile.pcap inFile1.pcap inFile2.pcap
● Generate Zeek logs from the PCAP files.
zeek -r pcap_to_log.pcap local “Log::default_rotation_interval = 1 day”
● Generate PCAP files with a packet sniffer (tcpdump, Wireshark, etc.)
Option 2: Install Zeek and let it monitor an interface directly [instructions]
● You may wish to compile Zeek from the source for performance reasons. This script can help automate the process.
● The automated installer for RITA installs pre-compiled Zeek binaries by default.
Provide the –disable-zeek flag when running the installer if you intend to compile Zeek from source.
Here’s the sample video for RITA – How it works, how you can get it up and running, how easy it is to get started, and what you can actually get out of the tool.
Examining Data With RITA:
● Use the show-X commands:
|show-databases||Print the datasets currently stored.|
|show-beacons||Print hosts which show signs of C2 software.|
|show-bl-hostnames||Print blacklisted hostnames which received connections.|
|show-bl-source-ips||Print blacklisted IPs which initiated connections.|
|show-bl-dest-ips||Print blacklisted IPs which received connections.|
|show-exploded-dns||Print dns analysis. Exposes covert dns channels.|
|show-long-connections||Print long connections and relevant information.|
|show-strobes||Print connections which occurred with excessive frequency.|
|show-useragents||Print user agent information.|
By default, RITA displays data in CSV format:
● -d [DELIM] delimits the data by [DELIM] instead of a comma.
Strings can be provided instead of single characters if desired, e.g. rita show-beacons -d “—” dataset_name
● -H displays the data in a human-readable format.
This takes precedence over the -d option
● Piping the human-readable results through less -S prevents word wrapping.
Ex: Rita show-beacons dataset_name -H | less -S
● Create a html report with html-report.