Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Home Page: https://www.activecountermeasures.com/free-tools/rita/
License: GNU General Public License v3.0
Rita (happens to be 5.0.7) runs fine when it's on an actual logged-in terminal. When run in the background, perhaps as a cron job, one gets the following errors:
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to display progress for connection correlationESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"could not open a new TTY: open /dev/tty: no such device or address"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling SSL connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link open ssl connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling SSL connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link ssl connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling HTTP connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link http connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m
[!] could not perform connection linking: unable to display progress for connection correlation: could not open a new TTY: open /dev/tty: no such device or address
Container rita-rita-1 Stopping
Container rita-rita-1 Stopped
(reported by SL and CB). We confirmed that the same command ran fine and finished importing when run on an ssh connection.
It's not clear to me whether the "cancelling SSL connection linking", "unable to link open ssl connections" is related to this or not.
Currently, the install_rita.yml and install_zeek.yml playbooks contain duplicate tasks for installing Docker and doing package manager updates (apt/yum). These tasks should be moved out into a single playbook so that they only need to be updated in a single place.
Prevalence should be displayed as a fraction (3/10) as opposed to a percentage to make it clearer as to how many internal hosts are actually being communicated with.
Prior to RITA version 5, RITA required you to download a single install script. When you ran the script, all needed files were downloaded and automatically installed. Further, at the end of the install, you were given the option to install Zeek as well. Besides selecting the interface Zeek should listen on, that process was also automated.
As of version 5, the RITA install is a lot more challenging. Users have to download a tarball, expand it, and run the included install script. Further, there is no option for installing Zeek. The user is given some instructions but left to manually get it running for themselves.
The install process for RITA5 needs to be updated so that the install process is as simple as previous versions.
My project is made up of several docker containers, the DB (clickhouse), rita and zeek. A volume is shared between the Rita and Zeek containers in order to access the logs.
A cron is run every hour to import the logs into Rita. For the import, I only take the zeek logs folder of the day in order to have only 24h in Rita (the rolling option is also well set).
When Rita makes her first import of the day, everything goes according to plan. All the logs are found and imported.
2024-07-31T01:20:01Z INF Initiating new import... dataset=my_dataset directory=/app/zeek-logs/2024-07-31 rebuild=false rolling=true started_at="2024-07-31 01:20:01.350964382 +0000 UTC m=+0.004145583"
2024-07-31T01:20:01Z INF [THREAT INTEL] Updating online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
[-] Parsing: /app/zeek-logs/2024-07-31/conn.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/conn.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/conn.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/conn.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/conn.00:50:00-01:00:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.00:50:00-01:00:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.00:50:00-01:00:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.00:50:00-01:00:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.00:50:00-01:00:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.00:10:00-00:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.00:20:00-00:30:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.00:30:00-00:40:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.00:40:00-00:50:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.00:50:00-01:00:00.log.gz
2024-07-31T01:20:08Z INF Finished Parsing Logs! π elapsed_time=7.308483578s parsing_began=1722388801 parsing_finished=1722388808
π§ Seasoning open SSL connections π 100%
π§ Seasoning SSL connections π 100%
π§ Seasoning HTTP connections π 100%
β
Sifting open IP connections...
β
Sifting IP connections...
2024-07-31T01:20:09Z INF Finished Seasoning Logs! π elapsed_time=595.68529ms seasoning_began=1722388808 seasoning_finished=1722388809
SNI Connection Analysis π 100%
IP Connection Analysis π 100%
DNS Analysis π 100%
2024-07-31T01:20:11Z INF Finished Analysis! π analysis_began=1722388809 analysis_finished=1722388811 elapsed_time=1.736611685s
2024-07-31T01:20:11Z INF Finished Modification! π elapsed_time=32.84501ms modification_began=1722388811 modification_finished=1722388811
2024-07-31T01:20:11Z INF Finished Importing Hour Chunk day=0 elapsed_time=9.732068841s hour=0
[-] Parsing: /app/zeek-logs/2024-07-31/conn.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/http.01:10:00-01:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/ssl.01:10:00-01:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_conn.01:10:00-01:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/open_ssl.01:10:00-01:20:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.01:00:00-01:10:00.log.gz
[-] Parsing: /app/zeek-logs/2024-07-31/dns.01:10:00-01:20:00.log.gz
2024-07-31T01:20:13Z INF Finished Parsing Logs! π elapsed_time=2.082223516s parsing_began=1722388811 parsing_finished=1722388813
π§ Seasoning open SSL connections π 100%
π§ Seasoning SSL connections π 100%
π§ Seasoning HTTP connections π 100%
β
Sifting open IP connections...
β
Sifting IP connections...
2024-07-31T01:20:13Z INF Finished Seasoning Logs! π elapsed_time=467.513435ms seasoning_began=1722388813 seasoning_finished=1722388813
SNI Connection Analysis π 100%
IP Connection Analysis π 100%
DNS Analysis π 100%
2024-07-31T01:20:15Z INF Finished Analysis! π analysis_began=1722388814 analysis_finished=1722388815 elapsed_time=1.889514043s
2024-07-31T01:20:15Z INF Finished Modification! π elapsed_time=24.338697ms modification_began=1722388815 modification_finished=1722388815
2024-07-31T01:20:15Z INF Finished Importing Hour Chunk day=0 elapsed_time=4.591641917s hour=1
2024-07-31T01:20:15Z INF πβ¨ Finished Import! β¨π elapsed_time=14.6sBut on subsequent imports, Rita no longer imports anything and reports that all the files have already been imported.
2024-07-31T02:20:16Z INF Initiating new import... dataset=my_dataset directory=/app/zeek-logs/2024-07-31 rebuild=false rolling=true started_at="2024-07-31 02:20:16.236288652 +0000 UTC m=+0.004589947"
2024-07-31T02:20:16Z INF [THREAT INTEL] Updating online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
[!] all files were previously imported
2024-07-31T03:20:16Z INF Initiating new import... dataset=my_dataset directory=/app/zeek-logs/2024-07-31 rebuild=false rolling=true started_at="2024-07-31 03:20:16.603033134 +0000 UTC m=+0.006243644"
2024-07-31T03:20:16Z INF [THREAT INTEL] Updating online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
[!] all files were previously imported
2024-07-31T04:20:16Z INF Initiating new import... dataset=my_dataset directory=/app/zeek-logs/2024-07-31 rebuild=false rolling=true started_at="2024-07-31 04:20:16.98451503 +0000 UTC m=+0.004978521"
2024-07-31T04:20:17Z INF [THREAT INTEL] Updating online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
[!] all files were previously imported
...However, there are new logs after the first ones that have been imported...
When running RITA on a macOS ARM system, RITA fails to start an import with the error Another instance of RITA is currently running.
MacBookPro M3, up-to-date macOS and Docker Desktop:
rita main οΉͺsw_vers
ProductName: macOS
ProductVersion: 14.5
BuildVersion: 23F79
rita main οΉͺuname -a
Darwin Joshuas-MBP.localdomain 23.5.0 Darwin Kernel Version 23.5.0: Wed May 1 20:17:33 PDT 2024; root:xnu-10063.121.3~5/RELEASE_ARM64_T6031 arm64
rita main οΉͺdocker -v
Docker version 27.1.1, build 6312585
rita main οΉͺgit log -1
commit 0ce0c799e51766e623574c3d7e8f35a008d30e80 (HEAD -> main, origin/main, origin/HEAD)
Author: Naomi Kramer <[email protected]>
Date: Mon Jul 29 16:56:06 2024 -0400
Update one line installer
RITA error:
rita main οΉͺ./rita.sh
[+] Running 3/3
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
β Container rita-rita-1 Started 0.1s
[+] Creating 2/0
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
NAME:
RITA - Look for evil needles in big haystacks
USAGE:
rita [-d] command [command options]
VERSION:
0ce0c799e51766e623574c3d7e8f35a008d30e80
COMMANDS:
import import zeek logs into a target database
view view <dataset name>
delete delete a dataset
list list available datasets
validate validate a configuration file
help, h Shows a list of commands or help for one command
GLOBAL OPTIONS:
--debug, -d Run in debug mode (default: false)
--help, -h show help
--version, -v print the version
[+] Stopping 1/0
β Container rita-rita-1 Stopped 0.0s
rita main οΉͺ./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
β Container rita-rita-1 Started 0.1s
Another instance of RITA is currently running... Please exit it and try again.
I haven't looked into this in detail yet, but stopping running containers and trying again does not fix:
rita main οΉͺdocker ps -q
2e345537ba78
bece96b00275
rita main οΉͺdocker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
2e345537ba78 clickhouse/clickhouse-server:24.1.6 "/entrypoint.sh" 8 minutes ago Up 7 minutes (healthy) 127.0.0.1:8123->8123/tcp, 127.0.0.1:9000->9000/tcp, 9009/tcp clickhouse
bece96b00275 lscr.io/linuxserver/syslog-ng:latest "/init" 8 minutes ago Up 7 minutes 6514/tcp, 6601/tcp, 0.0.0.0:514->5514/udp syslog-ng
rita main οΉͺdocker kill $(docker ps -q)
2e345537ba78
bece96b00275
rita main οΉͺdocker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
rita main οΉͺ./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
β Container clickhouse Started 0.1s
β Container syslog-ng Started 0.1s
β Container rita-rita-1 Started 0.2s
Another instance of RITA is currently running... Please exit it and try again.
This error does not happen on an Intel MBP:
rita (main) $ uname -a
Darwin Joshuas-MBP-2.localdomain 23.1.0 Darwin Kernel Version 23.1.0: Mon Oct 9 21:27:27 PDT 2023; root:xnu-10002.41.9~6/RELEASE_X86_64 x86_64
rita (main) $ sw_vers
ProductName: macOS
ProductVersion: 14.1.2
BuildVersion: 23B92
rita (main) $ docker -v
Docker version 26.1.1, build 4cf5afa
rita (main) $ ./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
β Container rita-rita-1 Started 0.2s
[+] Creating 2/0
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
2024-07-30T10:47:38Z INF Initiating new import... dataset=wardrobe99 directory=/tmp/zeek_logs rebuild=false rolling=false started_at="2024-07-30 10:47:38.771166037 +0000 UTC m=+0.006652446"
...
Fresh Ubuntu 24.04 Noble Server
System requirements make no mention of ansible or docker. The installer script does say it installs docker.
Am I missing something somewhere?
enderst@Rita-5:~$ wget https://github.com/activecm/rita/releases/download/v5.0.6/install-rita-zeek-here.sh
--2024-07-30 18:06:52-- https://github.com/activecm/rita/releases/download/v5.0.6/install-rita-zeek-here.sh
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/821147194/84f4f270-d6a3-4d45-ae0b-18f1b16086a0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240730T180653Z&X-Amz-Expires=300&X-Amz-Signature=c68c3fb712d38e63c56ba33e435fa4b7db2af7e09ec27aa74ddd64944aee368b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=821147194&response-content-disposition=attachment%3B%20filename%3Dinstall-rita-zeek-here.sh&response-content-type=application%2Foctet-stream [following]
--2024-07-30 18:06:53-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/821147194/84f4f270-d6a3-4d45-ae0b-18f1b16086a0?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240730T180653Z&X-Amz-Expires=300&X-Amz-Signature=c68c3fb712d38e63c56ba33e435fa4b7db2af7e09ec27aa74ddd64944aee368b&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=821147194&response-content-disposition=attachment%3B%20filename%3Dinstall-rita-zeek-here.sh&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.111.133, 185.199.110.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1455 (1.4K) [application/octet-stream]
Saving to: install-rita-zeek-here.shβ
enderst@Rita-5:~$ sudo bash install-rita-zeek-here.sh
export PATH=$PATH:/usr/local/bin/
==== Installing rita v5.0.6 ====
--2024-07-30 18:07:16-- https://github.com/activecm/rita/releases/download/v5.0.6/rita-v5.0.6.tar.gz
Resolving github.com (github.com)... 140.82.114.3
Connecting to github.com (github.com)|140.82.114.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/821147194/854ef876-37b7-4b08-9286-ab67e1162a61?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240730T180716Z&X-Amz-Expires=300&X-Amz-Signature=3c8be72581e58e174095c5885c5c13df9ebeb6036fbf781a54a08342f6fd1407&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=821147194&response-content-disposition=attachment%3B%20filename%3Drita-v5.0.6.tar.gz&response-content-type=application%2Foctet-stream [following]
--2024-07-30 18:07:16-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/821147194/854ef876-37b7-4b08-9286-ab67e1162a61?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20240730%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240730T180716Z&X-Amz-Expires=300&X-Amz-Signature=3c8be72581e58e174095c5885c5c13df9ebeb6036fbf781a54a08342f6fd1407&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=821147194&response-content-disposition=attachment%3B%20filename%3Drita-v5.0.6.tar.gz&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.108.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 39114 (38K) [application/octet-stream]
Saving to: rita-v5.0.6.tar.gz.3
rita-v5.0.6.tar.gz. 100%[===================>] 38.20K --.-KB/s in 0.05s
2024-07-30 18:07:17 (744 KB/s) - βrita-v5.0.6.tar.gz.3 saved [39114/39114]
./rita-v5.0.6-installer/
./rita-v5.0.6-installer/install_zeek.yml
./rita-v5.0.6-installer/.ansible/
./rita-v5.0.6-installer/.ansible/playbooks/
./rita-v5.0.6-installer/install_rita.yml
./rita-v5.0.6-installer/install_rita.sh
./rita-v5.0.6-installer/files/
./rita-v5.0.6-installer/files/opt/
./rita-v5.0.6-installer/files/opt/rita.sh
./rita-v5.0.6-installer/files/opt/.env
./rita-v5.0.6-installer/files/opt/zeek
./rita-v5.0.6-installer/files/opt/docker-compose.yml
./rita-v5.0.6-installer/files/opt/README
./rita-v5.0.6-installer/files/opt/LICENSE
./rita-v5.0.6-installer/files/etc/
./rita-v5.0.6-installer/files/etc/http_extensions_list.csv
./rita-v5.0.6-installer/files/etc/logger-cron
./rita-v5.0.6-installer/files/etc/timezone.xml
./rita-v5.0.6-installer/files/etc/syslog-ng.conf
./rita-v5.0.6-installer/files/etc/config.xml
./rita-v5.0.6-installer/files/etc/threat_intel_feeds/
./rita-v5.0.6-installer/files/etc/threat_intel_feeds/DO_NOT_DELETE
./rita-v5.0.6-installer/files/etc/config.hjson
./rita-v5.0.6-installer/files/docker-compose
./rita-v5.0.6-installer/scripts/
./rita-v5.0.6-installer/scripts/ansible-installer.sh
./rita-v5.0.6-installer/scripts/sshprep
./rita-v5.0.6-installer/scripts/helper.sh
install-rita-zeek-here.sh: line 29: rita: command not found
==== Installing zeek latest ====
--2024-07-30 18:07:17-- https://raw.githubusercontent.com/activecm/docker-zeek/master/zeek
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.108.133, 185.199.109.133, 185.199.110.133, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 14169 (14K) [text/plain]
Saving to: β/usr/local/bin/zeekβ
/usr/local/bin/zeek 100%[===================>] 13.84K --.-KB/s in 0.002s
2024-07-30 18:07:17 (7.02 MB/s) - β/usr/local/bin/zeekβ saved [14169/14169]
sudo: docker: command not found
Zeek is already stopped.
sudo: docker: command not found
sudo: docker: command not found
sudo: docker: command not found
sudo: docker: command not found
Could not find /opt/zeek/etc/node.cfg. Generating one now.
sudo: docker: command not found
sudo: docker: command not found
sudo: docker: command not found
sudo: docker: command not found
Starting the Zeek docker container
sudo: docker: command not found
Zeek is already stopped.
Please run 'zeek start' if you want to start zeek running in the background.
If your system has trouble locating either zeek or rita we recommend logging out and logging back in.
enderst@Rita-5:~$
RITAv5 does not use quite a bit of the terminal space to display results:
Feature request: Examine list view height calculation to use the space available for results.
Infrequently, starting the rita.sh script will produce the following error, preventing RITA from running:
[!] dial tcp 172.30.0.3:9000: connect: connection refused
This is caused by RITA starting too quickly after launching ClickHouse, before ClickHouse is ready to accept connections.
In the detail view for the selected entry, if a hostname is displayed there is no opportunity to see the IP address of the selected destination. The analyst must refer to Zeek logs or perform DNS name resolution to identify the IP address of the threat, both of which are not ideal. Screenshot attached.
Feature request: Display the IP address even when a DNS name is extracted about a host, either SRC or DST.
RITAv5's search feature allows us to filter the display using several parameters, including src and dst IP addresses. However, we cannot filter by a network subnet to identify other hosts in nearby network ranges.
Feature request: Allow search to accept src and dst parameters using a single IP or a network number using CIDR notation.
For example, in this RITA session, 52.226.139.185 is a high severity finding. One of the questions we should investigate is if there are other hosts with similar IP addresses, possibly in the same /24. RITA does not allow us to answer that question without manually inspecting each of the listed entries.
When importing logs with RITA using the rita.sh script, RITA will fail due to the lack of the required /development/http_extensions_list.csv file:
rita (main) $ ./rita.sh import -l ~/wardrobe99logs -d wardrobe99
[+] Running 3/3
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
β Container rita-rita-1 Started 0.2s
[+] Creating 2/0
β Container syslog-ng Running 0.0s
β Container clickhouse Running 0.0s
2024-07-30T10:47:38Z INF Initiating new import... dataset=wardrobe99 directory=/tmp/zeek_logs rebuild=false rolling=false started_at="2024-07-30 10:47:38.771166037 +0000 UTC m=+0.006652446"
2024-07-30T10:47:39Z INF [THREAT INTEL] Adding new online feed... feed_url=https://feodotracker.abuse.ch/downloads/ipblocklist.txt
Error while reading the file open /deployment/http_extensions_list.csv: no such file or directory
[!] open /deployment/http_extensions_list.csv: no such file or directory
[+] Stopping 1/0
β Container rita-rita-1 Stopped 0.0s
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.