RITA (Real Intelligence Threat Analytics)

If you get value out of RITA and would like to go a step further with hunting automation, futuristic visualizations, and data enrichment, then take a look at AC-Hunter.

Brought to you by Active Countermeasures.

Sponsored by BHIS.

---

RITA is an open source framework for network traffic analysis.

The framework ingests Zeek Logs in TSV or JSON format, and currently supports the following major features:

• Beaconing Detection: Search for signs of beaconing behavior in and out of your network
• Long Connection Detection: Easily see connections that have communicated for long periods of time
• DNS Tunneling Detection: Search for signs of DNS based covert channels
• Threat Intel Feed Checking: Query threat intel feeds to search for suspicious domains and hosts

Quick Start

Please see our recommended System Requirements. RITA requires Docker Engine with the Compose plugin.

1. Download the RITA Installer for the desired version.

2. Uncompress the installer tarfile.

   tar -xf rita-<version>-installer.tar.gz
   

3. Run the install script.

   ./rita-<version>-installer/install_rita.sh
   

Supported Platforms

The following operating systems/versions and CPU architectures are supported:

OS	Versions	Platform
CentOS	9 Stream	amd64
Rocky	9	amd64
RHEL	9	amd64
Ubuntu	22.04, 24.04	amd64

Installing Zeek

RITA requires Zeek to generate network logs. If you do not already have Zeek installed, install docker-zeek and run zeek start.

Importing

Import data into RITA using the import command:

rita import --database=mydatabase --logs=~/mylogs

database is what you would like to name the dataset

logs is the path to the Zeek logs you wish to import

For datasets that should accumulate data over time, with the logs containing network info that is current (less than 24 hours old), use the --rolling flag during creation and each subsequent import into the dataset. The most common use case for this is importing logs from a Zeek sensor on a cron job each hour.

Note: For datasets that contain over 24 hours of logs, but are over 24 hours old, simply import the top-level directory of the set of logs without the --rolling flag. Importing these logs with the --rolling flag may result in incorrect results.

To destroy and recreate a dataset, use the --rebuild flag.

Configuration

See Configuration for details on adjusting scoring.

Searching

RITA follows a GitHub-style search syntax. Each field follows the <field>:<value> format, with each search criteria separated by a space. For example:

src:192.168.88.2 dst:165.227.88.15 beacon:>=90 sort:duration-desc

Supported Search Fields

Column	Field	Operators	Data Type
Severity	severity		critical|high|medium|low
Source	src		IP address
Destination	dst		IP address, FQDN
Beacon Score	beacon	>, >=, <, <=	whole number
Duration	duration	>, >=, <, <=	string, ex:(2h45m)
Subdomains	subdomains	>, >=, <, <=	whole number
Threat Intel	threat_intel		true|false

Supported Sort Fields

The sort syntax is sort:<column>-<sort direction>, with the sort direction being asc for ascending or desc for descending.

Supported Columns:

• severity
• beacon
• duration
• subdomains

CSV Output

To output the results to CSV instead of viewing them within the terminal UI, pass the --stdout or -o flag to the view command:

The flag must be before the name of the dataset.

rita view --stdout mydataset

Terminal UI Color Support

The terminal UI (TUI) supports colorful output by default. It does not need to be enabled.

Check the value of the "$TERM" variable, this should be xterm-256color. If it is not, please set this variable in your OS's version of a ~/.bash_profile, ~/.profile, etc.

Depending on the color theme of your terminal, the TUI will adjust to either a light mode or a dark mode.

If you're really fancy and like pretty colors, consider using the Catpuccin theme!