Real Intelligence Threat Analytics (RITA) is an open source framework for network traffic analysis.
The framework ingests Bro Logs, and currently supports the following analysis features:
- Beaconing Detection: Search for signs of beaconing behaviour in and out of your network
- DNS Tunneling Detection Search for signs of DNS based covert channels
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
- URL Length Analysis: Search for lengthy URLs indicative of malware
- Scanning Detection: Search for signs of port scans in your network
Changelog v1.1.1
Changes:
- Make some commands periodically check for program updates #255
- Update Mongo version to 3.6 #248
- Add TravisCI test automation #250
- Updating manual install documentation #265
Config file:
- UserConfig section added to a config file. This controls how often RITA checks for updates. In older versions where it doesn’t exist it will default to 14 days.
Installation
- Download the latest install.sh file from the release page
- Make the installer executable: chmod +x ./install.sh
- Run the installer: sudo ./install.sh
- Start MongoDB: sudo service mongod start
API Keys
RITA relies on the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.
To obtain an API key:
- Go to the Google cloud platform console.
- From the projects list, select a project or create a new one.
- If the API Manager page is not already open, open the left side menu and select API Manager.
- On the left, choose Credentials.
- Click Create credentials and then select API key.
- Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
- On the left, choose Library.
- Search for Safe Browsing.
- Click on Google Safe Browsing API.
- Near the top, click Enable.
Use
Source: https://github.com/activecm/