The RITA framework ingests Zeek logs in TSV or JSON format, or PCAPs converted to Zeek logs for analysis.

hunt teaming. This is where an organization has a team of individuals who actively go looking for evil on a network. This makes some significant assumptions

VSagent. It hides its Command and Control (C2) traffic into the “__VIEWSTATE” parameter, which is base64 encoded. Further, it beacons every 30 seconds.

Beacon Detection: Search for signs of beaconing behavior in and out of your network

DNS Tunneling Detection: Identify signs of DNS-based covert channels

RITA now uses a new database called ClickHouse. It uses a storage approach that is significantly different from the previous MongoDB setup and is much better suited for handling the static records generated by a Zeek sensor

cd wget https://github.com/activecm/rita/releases/download/v5.0.0-beta/rita-v5.0.0-beta.tar.gz tar -xzvf rita-v5.0.0-beta.tar.gz cd rita-v5.0.0-beta-installer ./install_rita.sh localhost