Real Intelligence Threat Analytics
Clone or download
meljbruno Add TravisCI test automation (#250)
Add Travis CI test automation
Latest commit 4d04d1d Nov 7, 2018
Failed to load latest commit information.
analysis Add TravisCI test automation (#250) Nov 7, 2018
commands Add TravisCI test automation (#250) Nov 7, 2018
config Add TravisCI test automation (#250) Nov 7, 2018
database Add TravisCI test automation (#250) Nov 7, 2018
datatypes Add TravisCI test automation (#250) Nov 7, 2018
docs Update the release instructions (#252) Sep 24, 2018
etc Make some commands periodically check for program updates (#255) Oct 23, 2018
logmover/push Wrote a push based mechanism for delivering logs from bro collector n… Jan 7, 2017
parser Add TravisCI test automation (#250) Nov 7, 2018
reporting Add TravisCI test automation (#250) Nov 7, 2018
resources Check that mongo version is >= 3.2 and < 3.7 Jul 11, 2018
tests Configure Bro, start Bro and Mongo, and start on boot (#245) Sep 24, 2018
util Add TravisCI test automation (#250) Nov 7, 2018
.gitignore Go dep init Jan 16, 2018
.gometalinter.json Added most units tests that are currently possible. Found that some f… May 12, 2018
.travis.yml Add TravisCI test automation (#250) Nov 7, 2018 Add TravisCI test automation (#250) Nov 7, 2018
Dockerfile Removed tables.yaml & hardcoded contents into config/tables.go Apr 6, 2018
Gopkg.lock Make some commands periodically check for program updates (#255) Oct 23, 2018
Gopkg.toml Migrating from deprecated mgo library to new one. Updated dependencies Jul 27, 2018
LICENSE first open source commit Sep 24, 2016
Makefile Activate bash tab autocomplete (#259) Oct 10, 2018 Adding System Requirements Aug 27, 2018
docker-compose.yml Updating docker references to use Quay Apr 14, 2018 Update all individual packages for Mongo Oct 31, 2018
rita.go Add TravisCI test automation (#250) Nov 7, 2018 Add TravisCI test automation (#250) Nov 7, 2018 Added a test script for the installer May 14, 2018

RITA (Real Intelligence Threat Analytics)

Brought to you by Active Countermeasures.

What is Here

RITA is an open source framework for network traffic analysis.

The framework ingests Bro Logs, and currently supports the following analysis features:

  • Beaconing Detection: Search for signs of beaconing behavior in and out of your network
  • DNS Tunneling Detection Search for signs of DNS based covert channels
  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts
  • URL Length Analysis: Search for lengthy URLs indicative of malware
  • Scanning Detection: Search for signs of port scans in your network

Additional functionality is being developed and will be included soon.

Automatic Installation

The automatic installer is officially supported on Ubuntu 14.04, 16.04 LTS, Security Onion, and CentOS 7

  • Download the latest file from the release page
  • Make the installer executable: chmod +x ./
  • Run the installer: sudo ./
  • Start MongoDB: sudo service mongod start

Manual Installation

To install each component of RITA by hand, check out the instructions in the docs.

Configuration File

RITA contains a yaml format configuration file.

You can specify the location for the configuration file with the -c command line flag. If not specified, RITA will look for the configuration in /etc/rita/config.yaml.

API Keys

RITA relies on the the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.

To obtain an API key:

  • Go to the Google cloud platform console.
  • From the projects list, select a project or create a new one.
  • If the API Manager page is not already open, open the left side menu and select API Manager.
  • On the left, choose Credentials.
  • Click Create credentials and then select API key.
  • Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
  • On the left, choose Library.
  • Search for Safe Browsing.
  • Click on Google Safe Browsing API.
  • Near the top, click Enable.

Getting Started

System Requirements

  • Operating System - The preferred platform is 64-bit Ubuntu 16.04 LTS. The system should be patched and up to date using apt-get.
  • Processor (when also using Bro) - Two cores plus an additional core for every 100 Mb of traffic being captured. (three cores minimum). This should be dedicated hardware, as resource congestion with other VMs can cause packets to be dropped or missed.
  • Memory - 16GB minimum. 64GB if monitoring 100Mb or more of network traffic. 128GB if monitoring 1Gb or more of network traffic.
  • Storage - 300GB minimum. 1TB or more is recommended to reduce log maintenance.
  • Network - In order to capture traffic with Bro, you will need at least 2 network interface cards (NICs). One will be for management of the system and the other will be the dedicated capture port. Intel NICs perform well and are recommended.

Obtaining Data (Generating Bro Logs):

  • Option 1: Generate PCAPs outside of Bro

    • Generate PCAP files with a packet sniffer (tcpdump, wireshark, etc.)
    • (Optional) Merge multiple PCAP files into one PCAP file
      • mergecap -w outFile.pcap inFile1.pcap inFile2.pcap
    • Generate bro logs from the PCAP files
      • Set local_nets to your local networks
      • bro -r pcap_to_log.pcap local "Site::local_nets += { }" "Log::default_rotation_interval = 1 day"
  • Option 2: Install Bro and let it monitor an interface directly [instructions]

    • You may wish to compile Bro from source for performance reasons. This script can help automate the process.
    • The automated installer for RITA installs pre-compiled Bro binaries

Importing Data Into RITA

  • After installing, rita should be in your PATH and the config file should be set up ready to go. Once your Bro install has collected some logs (Bro will normally rotate logs on the hour) you can run rita import. Alternatively, you can manually import existing logs using one of the following options:
  • Option 1: Import directly from the terminal (one time import)
    • rita import path/to/your/bro_logs/ database_name
  • Option 2: Set up the Bro configuration in /etc/rita/config.yaml for repeated imports
    • Set ImportDirectory to the path/to/your/bro_logs. The default is /opt/bro/logs
    • Set DBRoot to an identifier common to your set of logs

Analyzing Data With RITA

  • Option 1: Analyze one dataset
    • rita analyze dataset_name
    • Ex: rita analyze MyCompany_A
  • Option 2: Analyze all imported datasets
    • rita analyze

Examining Data With RITA

  • Use the show-X commands
  • -H displays human readable data
  • rita show-beacons dataset_name -H
  • rita show-blacklisted dataset_name -H
  • Use less to view data rita show-beacons dataset_name -H | less -S

Getting help

Please create an issue on GitHub if you have any questions or concerns.

Contributing to RITA

To contribute to RITA visit our Contributing Guide


GNU GPL V3 © Active Countermeasures ™