49 lines
1.0 KiB
Markdown
49 lines
1.0 KiB
Markdown
- By Cpl Iverson, Matthew
|
|
|
|
|
|
## Overview
|
|
|
|
RITA is an open-source framework for network traffic analysis.
|
|
The framework ingests Zeek Logs in TSV format, and currently supports the following major features:
|
|
- Beaconing Detection: Search for signs of beaconing behavior in and out of your network
|
|
- DNS Tunneling Detection Search for signs of DNS-based covert channels
|
|
- Blacklist Checking: Query blacklists to search for suspicious domains and hosts
|
|
|
|
## Requirements
|
|
|
|
#### Without ZEEK
|
|
CPU: 2+
|
|
Ram: 16GB+
|
|
STORAGE: 40GB
|
|
|
|
#### With ZEEK
|
|
CPUs: 3-8
|
|
RAM: 16GB - 128GB
|
|
STORAGE: 300GB+
|
|
NICs: 2
|
|
|
|
normal ubuntu install
|
|
|
|
```
|
|
sudo apt install git
|
|
git clone https://github.com/activecm/rita.git
|
|
cd /rita
|
|
sudo ./install.sh
|
|
```
|
|
|
|
```
|
|
Would you like to continue running the zeek configuration script and generate a new node.cfg file?
|
|
y
|
|
|
|
Would you like to include it as a sniff interface (y/n)?
|
|
y
|
|
|
|
```enp2s0```
|
|
|
|
would you like to replace the existing node.cfg with the above file?
|
|
yes
|
|
|
|
sudo apt install zkg
|
|
zkg install zeek/activecm/zeek-open-connections
|
|
```
|