rita
rita copied to clipboard
activecm
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Closes #725 - updated incoming/outgoing bytes for tcp connections to use the orig_bytes/resp_bytes fields, which do not include header size. Non-tcp connections will use orig_ip_bytes/resp_ip_bytes, which include the header size....
Currently, the usage of orig_bytes/resp_bytes and orig_ip_bytes/resp_ip_bytes throughout the code is inconsistent. There is also a problem with beacon scores being skewed by variation in the header size of its...
originally having an issue with messages in the output from rita regarding dns: not found {map[domain:[mcafee.com](http://mcafee.com/)] map[$inc:map[subdomain_count:-1]] explodedDns} Get lots of messages like the one above just different domains …...
HI Team, I have DNS Firewall built on Ubuntu with BIND and RPZ; I wanted to leverage zeek and RITA installing on the same server. However since its only DNS...
Hello! I try to install RITA on a forward node of Security Onion 2.3.61 using the latest install.sh and the install script stops after _ \ _ _| __ __|...
RITA does not have the ability to verify if a SSL certificate is valid. Implement verification of SSL certificates through the use of [zeek's validate-certs script](https://docs.zeek.org/en/master/scripts/policy/protocols/ssl/validate-certs.zeek.html)
RITA currently doesn't store data on URI's that were requested during a connection. - Store the URI requested during a connection. If the same URI was requested multiple times for...
If my calculations are correct; when the sleep value of a beacon is higher than 10 seconds, the connection count score is greatly impacted which skews the overal score calculation....
Hello! I have configured the following domains in the NeverIncludeDomain section of the RITA configuration: ``` NeverIncludeDomain: - '*.spotify.com' - '*.philips.com' - '*.qnap.com' - '*.windowsupdate.com' - 'push.services.mozilla.com' - 'autopush.prod.mozaws.net' -...
Fixes #709 and excludes ip6.arpa requests similar to how in-addr.arpa requests are excluded.
