RITAv5 – The Video Series
We’ve created a series of videos to help get you up to speed on using the new version of RITA. In this blog post, I’ll summarize what is in each video and any important commands that are covered.
1. First Look RITAv5 vs RITAv4
Covers what has changed from RITA version 4 to RITA version 5.
- Replaced Mongo with Clickhouse as the backend database
- Heavy use of Docker for compatibility with more OSes
- Consolidation of data presentation so that all info is available in a single view
- Consolidation of the command line options
- New ASCII graphical interface based on Charm Bracelet BubbleTea
- Severity based on descriptive name instead of an arbitrary score
2. RITAv5 Architecture
Covers architecture for the network deployment of Zeek and RITA.
- Deploy on the firewall
- Deploy on dual-homed system sniffing via mirroring the firewall’s internal interface
3. RITAv5 Install
Covers how to install Zeek and RITAv5.
- System requirements
- Simple RITA/Zeek install via script
Commands
https://github.com/activecm/rita/releases
wget https://github.com/activecm/rita/releases/download/<RITA Version number goes here>/install-rita-zeek-here.sh
chmod +x install-rita-zeek-here.sh
./install-rita-zeek-here.sh
sudo docker image
sudo docker ps
4. RITAv5 Working with PCAPs
Covers how to check pcap files for potential command and control (C2).
- Zeek and RITA run in containers
- “zeek” and “rita” commands are actually scripts that interact with the container for you
- Convert pcaps to Zeek logs
- Convert Zeek logs to RITA data
Commands
zeek readpcap <path to pcap and file name> <path to write out Zeek logs>
rita import -l <path to Zeek logs> -d <database name>
rita list
rita view <database name>
5. RITAv5 Live Monitoring
Setting up Zeek and RITA to monitor live data.
- Create script to run RITA within screen
- Set cron to run this script once an hour
- Verify the setup is working properly
Commands
zeek status
zeek start
cd /opt/rita
sudo nano rita-roll
#!/bin/bash screen -S ritaimport -d -m /usr/local/bin/rita import –rolling -l /opt/zeek/logs/ -d rolling
chmod +x rita-roll
cd /etc/cron.d/
sudo nano rita
20 * * * * root /opt/rita/rita-roll
cd /opt/zeek/logs/
ll
cd <dir with current date>
ll
rita list
rita view rolling
6. First Threat Hunt with RITAv5
We have Zeek and RITA running. Time for our first threat hunt!
- Review summary info
- Review detailed info
- Review searching and sorting
Commands
rita view rolling
rita view –stdout rolling (two dashes before stdout)
Chris has been a leader in the IT and security industry for over 20 years. He’s a published author of multiple security books and the primary author of the Cloud Security Alliance’s online training material. As a Fellow Instructor, Chris developed and delivered multiple courses for the SANS Institute. As an alumni of Y-Combinator, Chris has assisted multiple startups, helping them to improve their product security through continuous development and identifying their product market fit.