#RITA
Brought to you by Offensive CounterMeasures
###What's here
RITA is an open source network traffic analysis framework.
The framework ingests Bro Logs, and currently supports the following analysis features:
- Beaconing: Search for signs of beaconing behavior in and out of your network
- Blacklisted: Query blacklists to search for suspicious domains and hosts in your network traffic
- Scanning: Search for signs of port scans in your network
Additional functionality is being developed and will be included soon.
Automatic Installation
The automatic RITA installer is officially supported on Ubuntu 16.04 LTS
Clone the package:
git clone https://github.com/ocmdev/rita.git
Change into the source directory:
cd rita
Run the installer:
Note:
By default, Rita will install to /usr/local/rita.
However, you can change the install location with the -i flag.
sudo ./install.sh
or
sudo ./install.sh -i /path/to/install/directory
Manual Installation
To install each component of Rita by hand, check out the instructions in the wiki.
Configuration File
RITA contains a yaml format configuration file.
You can specify the location for the configuration file with the -c command line flag. If not specified, RITA will first look for the configuration in ~/.rita/config.yaml then /etc/rita/config.yaml.
API Keys
Rita relies on the the Google Safe Browsing API to check network log data for connections to known threats. An API key is required to use this service. Obtaining a key is free, and only requires a Google account.
To obtain an API key:
- Go to the cloud platform console.
- From the projects list, select a project or create a new one.
- If the API Manager page isn't already open, open the left side menu and select API Manager.
- On the left, choose Credentials.
- Click Create credentials and then select API key.
- Copy this API key to the APIKey field under SafeBrowsing in the configuration file.
- On the left, choose Library.
- Search for Safe Browsing.
- Click on Google Safe Browsing API.
- Near the top, click Enable.
Now replace the APIKey field under SafeBrowsing in the configuration file with the obtained key.
Getting Started
Link to video tutorial will be added soon!
###Getting help
Head over to OFTC and join #ocmdev for any questions you may have.
###License
GNU GPL V3
© Offensive CounterMeasures ™
###Contributing
Want to help? We'd love that! Here are some ways to get involved ranging in
difficulty from easiest to hardest.
-
Run the software and tell us when it breaks. We're happy to recieve bug
reports. Just be sure to do the following:
- Give very specific descriptions of how to reproduce the bug
- Let us know if you're running RITA on weird hardware
- Tell us about the size of the test, and the physical resources available
-
Add godoc comments to the code. This software was developed for internal use
mostly on the fly and as needed. This means that the code was not built to the
typical standards of an open source project and we would like to get it there.
-
Fix style compliance issues. Just run golint and start fixing non-compliant
code.
-
Work on bug fixes. Grab from the issues list and submit fixes.
-
Help add features:
- If you would like to become involved in the development effort, please hop on our
OFTC channel at #ocmdev and chat about what's currently being worked on.
#####Submitting work:
Please send pull requests and such as small as possible. As this is a product that
we use internally, as well as a backend for a piece of commercially supported
software. Every line of code that goes in must be inspected and approved. So if it
is taking a while to get back to you on your work, or we reject code, don't be
offended, we're just paranoid and desire to get this project to a very stable and
useable place.