RITAv5 – The Video Series

We’ve created a series of videos to help get you up to speed on using the new version of RITA. In this blog post, I’ll summarize what is in each video and any important commands that are covered.

 

1. First Look RITAv5 vs RITAv4

Covers what has changed from RITA version 4 to RITA version 5.

  • Replaced Mongo with Clickhouse as the backend database
  • Heavy use of Docker for compatibility with more OSes
  • Consolidation of data presentation so that all info is available in a single view
  • Consolidation of the command line options
  • New ASCII graphical interface based on Charm Bracelet BubbleTea
  • Severity based on descriptive name instead of an arbitrary score

 

2. RITAv5 Architecture

Covers architecture for the network deployment of Zeek and RITA.

  • Deploy on the firewall
  • Deploy on dual-homed system sniffing via mirroring the firewall’s internal interface

 

3. RITAv5 Install

Covers how to install Zeek and RITAv5.

  • System requirements
  • Simple RITA/Zeek install via script

Commands

https://github.com/activecm/rita/releases

wget https://github.com/activecm/rita/releases/download/<RITA Version number goes here>/install-rita-zeek-here.sh

chmod +x install-rita-zeek-here.sh
./install-rita-zeek-here.sh
sudo docker image
sudo docker ps

 

4. RITAv5 Working with PCAPs

Covers how to check pcap files for potential command and control (C2).

  • Zeek and RITA run in containers
  • “zeek” and “rita” commands are actually scripts that interact with the container for you
  • Convert pcaps to Zeek logs
  • Convert Zeek logs to RITA data

Commands

zeek readpcap <path to pcap and file name> <path to write out Zeek logs>
rita import -l <path to Zeek logs> -d <database name>
rita list
rita view <database name>

 

5. RITAv5 Live Monitoring

Setting up Zeek and RITA to monitor live data.

  • Create script to run RITA within screen
  • Set cron to run this script once an hour
  • Verify the setup is working properly

Commands

zeek status
zeek start
cd /opt/rita
sudo nano rita-roll

#!/bin/bash
screen -S ritaimport -d -m /usr/local/bin/rita import –rolling -l /opt/zeek/logs/ -d rolling

chmod +x rita-roll
cd /etc/cron.d/
sudo nano rita

20 * * * * root /opt/rita/rita-roll

cd /opt/zeek/logs/
ll
cd <dir with current date>
ll
rita list
rita view rolling

 

6. First Threat Hunt with RITAv5

We have Zeek and RITA running. Time for our first threat hunt!

  • Review summary info
  • Review detailed info
  • Review searching and sorting

Commands

rita view rolling
rita view –stdout rolling (two dashes before stdout)

 

 

 

Interested in threat hunting tools? Check out AC-Hunter

Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!

Share this:
AC-Hunter Datasheet
AC-Hunter Personal Demo
What We’re up To
Archives