I installed and tested this open source framework called Real Intelligence Threat Analytics (RITA) that was recently updated against my BRO logs. It supports some interesting features such as: [2] Beaconing Detection "This open source project, born from Black Hills Information Security, is now developed, funded and supported by Active CounterMeasures". A full description of RITA's capabilities and the code is available here. I used the automated script (install.sh) with CentOS 7 which I download from here. The installation is straight forward and it verified my setup to make sure everything is installed on my box. After the installation, I edited the configuration file and changed the default (/etc/rita/config.yaml) and confirmed the following:
Next I got a Google Safe Browsing API key [4] and followed the API setup instructions here and added it to the rita config file.
My next step is to import my Bro logs into the database with the command:
If you want to import a single day, use the following command:
Show what is available now:
Now we can analyze a day of Bro traffic as follow:
Last step, lets create a web report that can be easily viewed with a browser:
[guy@rocknsm ~]# rita html-report bro-2018-07-27 If at some point you want to delete a day of data, use the following command in your home directory:
If you are interested to see this tool in action, check out John Strand's YouTube video here. [1] https://www.activecountermeasures.com ----------- |
Guy 523 Posts ISC Handler Jul 29th 2018 |
Thread locked Subscribe |
Jul 29th 2018 3 years ago |
Such a shame that RITA only supports tsv formatted logfiles. My BRO setup and the majority only logs as JSON.
Allowing additional input formats would be great. A part from that I really liked the article. Thanks for sharing. |
Anonymous |
Quote |
Jul 30th 2018 3 years ago |
There is already a feature request for this in RITA: https://github.com/activecm/rita/issues/146
|
Ramprasad 1 Posts |
Quote |
Jul 30th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!