tag:blogger.com,1999:blog-20011960.post6460618583772169459..comments2024-01-15T00:25:02.006-08:00Comments on HolisticInfoSecâ„¢: toolsmith #111: Lovely RITA, may I inquire?Russ McReehttp://www.blogger.com/profile/05647342839278416757noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-20011960.post-55953641396472601892016-03-16T07:42:31.138-07:002016-03-16T07:42:31.138-07:00Hey Russ,
Thanks for that, I'll try a bit of...Hey Russ, <br /><br />Thanks for that, I'll try a bit of testing on my home network first so and have a play. Exiting project BTWbennyhttps://www.blogger.com/profile/08895041718854325426noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-39401148534288476952016-03-11T13:47:51.506-08:002016-03-11T13:47:51.506-08:00Benny,
Domain-joined not really relevant or neces...Benny,<br /><br />Domain-joined not really relevant or necessary here. Add a second NIC to the VM though, configure listening from there, manage RITA from your primary. Ideally, eth1 is connected to a SPAN port or a TAP so you have broad listening exposure. Use caution on large networks though, easy to overwhelm yourself. Sampling can be your friend under such circumstances.Russ McReehttps://www.blogger.com/profile/05647342839278416757noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-60293024031887781702016-03-11T05:28:21.692-08:002016-03-11T05:28:21.692-08:00Hey guys, sorry for this silly question. I'm a...Hey guys, sorry for this silly question. I'm a junior sys admin so still learning.<br />Do I need to join this VM to our domain or can I just load this VM to a client machine and set the vnic to bridging mode ?bennyhttps://www.blogger.com/profile/08895041718854325426noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-90692807156611540072016-01-05T21:25:35.268-08:002016-01-05T21:25:35.268-08:00Thanks for the explanation Lawrence, I'll try ...Thanks for the explanation Lawrence, I'll try run RITA directly on my Bro server(16 cores, 32gb ram) instead of a VM(had 4 cores, 4gb ram)._bk201https://www.blogger.com/profile/06479561538462973827noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-47951308639046551562016-01-05T11:49:15.658-08:002016-01-05T11:49:15.658-08:00Chewy and _bk201 Hello, I'm Lawrence Hoffman, ...<b>Chewy</b> and <b>_bk201</b> Hello, I'm Lawrence Hoffman, one of the developers at Black Hills Infosec working on the RITA project. Thanks for trying RITA! In both of these cases it sounds like resource issues. At BHIS we typically run a 24 hour set of logs on a machine with at least 8 cores, 16 GB of ram, and a 500 GB solid state drive. We also try to keep the OS install minimal to ensure that there's not a lot trying to run in parallel with the analysis. Given all of that we often still see long running times. We're working on making the algorithms more efficient within the limitations of the python environment, but due to the kind of processing we're doing here RITA will likely always require a fairly stout machine. It's important to remember that we're not looking for signatures, the software is actually consuming (in the case of beaconing) all of the connection information for each internal source address and performing a mathematical analysis on timestamps and destination addresses. I'd be glad to help if I can, you can contact the development team through GitHub at <a rel="nofollow">https://github.com/blackhillsinfosec/RITA</a>.Anonymoushttps://www.blogger.com/profile/13113897472661321831noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-83561401833277173672016-01-04T18:01:15.239-08:002016-01-04T18:01:15.239-08:00I thought I'd try this with just 1 month of Br...I thought I'd try this with just 1 month of Bro logs, big mistake.<br />Thought OK I'll try with just 1 week, still big mistake.<br />So I ended up throwing just one day of logs at it, logstash script took ~7 hours to run, beaconing module took ~4 hours to build dictionary/run.<br /><br />The OVA is vmdk with an 11gb partition, hard to resize vmdk(need to convert to vdi first, then boot to live gparted cd to extend) if you have even a small amount of logs, you'll need to resize.<br /><br />Definitely has potential, but like you say it's still a work in progress._bk201https://www.blogger.com/profile/06479561538462973827noreply@blogger.comtag:blogger.com,1999:blog-20011960.post-23779047883015649032016-01-02T17:10:33.066-08:002016-01-02T17:10:33.066-08:00I really like the concept behind RITA and I plan t...I really like the concept behind RITA and I plan to use the utility to monitor my network for intrusive behavior. I am currently having problems using the "Hunt Team Security Searching" utility when performing beacon analysis. I modified the run.sh script to ingest my actual Bro logs... and this part seems to work. When I attempt to perform beacon analysis the utility successfully "Retrieves information from elasticsearch and builds the dictionary". It then consumes 100% of the 4 CPU cores when it "Runs the beacon analysis" and freezes at ~13%. Is there an error log to help identify the problem with beacon analysis? Thank you, Chewy.Chewyhttps://www.blogger.com/profile/16174699856260585699noreply@blogger.com