#RITA
Brought to you by Offensive CounterMeasures
###Disclaimer
RITA is not production ready! This software is being released open source as it
is being worked on. The team at OCM (Offensive CounterMeasures) has been
diligently working on the process of seperating the analysis logic from the
front end which is destined to be product for sale by Offensive CounterMeasures.
###Current state
####Terminal output
Right now we're working on getting output that makes getting your analysis data
easy and follows common unix ideas. Ideally this output will eventually be fully
compatible with the formatting of bro's logs which should make working with the
output much easier for those already versed in the useage of tools like bro-cut.
This feature is being worked on.
####Graphical front end
We're also working on getting a minimalist front end to the platform that can
be used to simply avoid the command line. This will probably take longer than
the above and should not be expected to have the data visualization features
present in the AI Hunt project.
###What's here
RITA has all of the logic used to analyze Bro data. With an input of Bro data a
MongoDB database will be created, which can be analyzed for review of that data.
All of the mathematics, lookups, and storage of Offensive CounterMeasures AI
Hunter is available in this package. The only thing not here is the graphical
front end which Offensive CounterMeasures has created to help visualize this
data.
###Installation
- What you'll need:
-
Setting up your environment:
-
Install bro using the directions at https://www.bro.org/sphinx/install/install.html
-
Test that bro is working by firing up bro and ensuring that it's spitting out logs. If you're having some trouble
with bro configuration or use here are some helpful links:
* Bro quick start https://www.bro.org/sphinx-git/quickstart/index.html
* broctl https://www.bro.org/sphinx/components/broctl/README.html
-
Install MongoDB (You will need MongoDB 3.2.0 which is not included in the Ubuntu 16.04 package manager. If you use your package manager, make sure it is at least MongoDB version 3.x)
* Download 3.2.0 at https://www.mongodb.com/download-center?jmp=nav#community
* Select your version of linux and download the package
-
Install GNU Netcat, make sure that it is GNU Netcat. NC will not work. http://netcat.sourceforge.net/
-
Install GoLang using the instructions at https://golang.org/doc/install
-
After the install we need to set a local GOPATH for our user. So lets set up a directory in our HomeDir
* mkdir -p $HOME/go/{src,pkg,bin}
-
Now we must add the GoPath to our .bashrc file
* echo 'export GOPATH="$HOME/go"' >> $HOME/.bashrc
-
We will also want to add our bin folder to the path for this user.
* echo 'export PATH="$PATH:$GOPATH/bin"' >> $HOME/.bashrc
-
Load your new configurations with source.
* source $HOME/.bashrc
-
Getting the sources and building them
- First we want to use the go to grab sources and deps for rita.
go get github.com/ocmdev/rita
- Now lets change to the rita directory.
cd $GOPATH/src/github.com/ocmdev/rita
- Then build rita.
- Now we'll install the rita binary.
- Finally, let's install all of the supporting software.
-
Configuring MongoDB
-
If your package manager automatically installs and configures the latest MongoDB 3.x, you can skip this section
-
Unzip the file you downloaded earlier
* tar -zxvf mongodb-linux-x86_64-[your OS version].tgz
-
Copy the directory to it's own folder, this is where the MongoDB process will run
* mkdir -p <path_to_desired_folder>/mongodb && cp -R -n mongodb-linux-x86_64-3.2.10/ <path_to_desired_folder>/mongodb
-
Ensure this location is set in your path variable, this can be done quickly with
* echo 'export PATH=<your_mongodb_install_directory>/mongodb-linux-x86_64-3.2.10/bin:$PATH' >> ~/.bashrc
-
Load your new bash config
* source $HOME/.bashrc
-
Launching MongoDB
-
Again if your package manager automatically installs and configures MongoDB 3.x, you can skip this section
-
Make your MongoDB directory, usually /data/db
* sudo mkdir -p /data/db
-
Then give the user permissions to read/write to our database directory
* sudo chown -R <username> /data
-
Now at this point you can watch MongoDB do it's magic before your very eyes with
* mongod
-
Otherwise if you're a very busy person like us, you can fork the process as a daemon. Make the log file and grant appropriate permissions
* sudo touch /data/mongod.log && sudo chown <username> mongod.log && sudo chmod u+w
-
Then start mongod daemon with
* mongod --fork --logpath /data/mongod.log
-
If mongo is still not running, you can check out further documentation at https://docs.mongodb.com/
-
Configuring the system
-
If you installed as sudo (root) then there will be a default config file at both /usr/local/rita/etc/rita.yaml
and /etc/rita/config.yaml.
-
You can also copy the global config from /etc to your homedir and call it .rita. If there's a .rita config that's
the one that will be used. Here's the order of precendence for configuration.
- file given on the command line with the -c flag
- $HOME/.rita
- /etc/rita/config.yaml
- If none of the above files successfully configure the system then the system fails.
-
You can test a configuration file with rita testconfig PATH/TO/FILE
if the file is syntactically correct rita
will print the resultant configuration. If it fails an error will be given.
-
The most important parts of the configuration file are the database path, the path for your netcat binary, a name
for the database you'd like to create with this dataset, and of course the Bro section of the yaml file which configures
your parser. There are comments in the yaml file that should help with configuration.
###Getting help
Head over to OFTC and join #ocmdev for any questions you may have. Please
remember that this is an open source project, the developers working in here
have full time jobs and are not your personal tech support. So please be civil
with us.
###License
GNU GPL V3
© Offensive CounterMeasures ™
###Contributing
Want to help? We'd love that! Here are some ways to get involved ranging in
difficulty from easiest to hardest.
-
Run the software and tell us when it breaks. We're happy to recieve bug
reports. Just be sure to do the following:
- Give very specific descriptions of how to reproduce the bug
- Let us know if you're running RITA on wierd hardware
- Tell us about the size of the test, the physical resources available, and the
-
Add godoc comments to the code. This software was developed for internal use
mostly on the fly and as needed. This means that the code was not built to the
typical standards of an open source project and we would like to get it there.
-
Fix style compliance issues. Just run golint and start fixing non-compliant
code.
-
Work on bug fixes. Grab from the issues list and submit fixes.
-
Helping add features:
- If you'd like to become involved in the development effort please hop on our
OFTC channel at #ocmdev and try and chat with booodead about what's currently
being worked on.
- If you have a feature request or idea, also please hop on OFTC #ocmdev and
chat with booodead about your idea. There's a chance we're already working on it and
would be happy to share that work with you.
#####Submitting work:
Please send pull requests and such as small as possible. As this is a product that
we use internally, as well as a backend for a piece of commercially supported
software. Every line of code that goes in must be inspected and approved. So if it
is taking a while to get back to you on your work, or we reject code, don't be
offended, we're just paranoid and desire to get this project to a very stable and
useable place.