Rita Versions Save

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.

v4.8.1

4 months ago

What's Changed

v4.8.0

1 year ago

What's Changed

Improvements:

Bug Fixes:

Full Changelog: https://github.com/activecm/rita/compare/v4.7.0...v4.8.0

v4.7.0

1 year ago

Changes:

Bug Fixes:

v4.6.0

1 year ago

Changes:

  • Add support for Ubuntu 20.04 to the installer (#732, #734)
  • Write DB Updates in Bulk; Summarize Internal Hosts After Analysis; Documentation Updates (#737)
  • Implement FQDN Beaconing using TLS SNI and HTTP Host (#739)
  • Change host summarizer to record max total duration instead of max individual duration found in the uconn collection (#741)
  • Implement new IP beacon scoring algorithm (#742, #743, #745)
  • Store all connection timestamps. Do not de-duplicate connections happening in the same second (#744, #749)
  • Remove MalwareDomains as a threat intel source (#746)
  • Filter external to internal traffic by default (#753)

v4.5.1

2 years ago

Changes:

  • Add support for Debian to the installer (#718)

v4.5.0

2 years ago

Changes:

  • Update Docker GoLang version to 1.17 (#712 )

Bug Fixes:

  • Fixed issue where import would freeze on FQDN Beacon analysis if there were no DNS records present (#700)
  • Fixed issue in Proxy Beacon analysis where traffic was filtered in the case of an internal system communicating through an internal proxy server (#706)

v4.4.0

2 years ago

Changes:

  • Add timestamp to HTML report templates (#662)
  • Use the past 24 hours of data to analyze proxy beacons rather than just the last hour (#690)
  • The RITA parser has been updated with a number of performance tweaks (#654, #695)
  • Gather IPs for FQDN beacon analysis using DNS lookups from the past 24 hours of data rather than just the last hour (#676, #700)
  • Drop stobe limit down to 86400 (#697)
  • Add option to configuration file which filters out connections from external hosts to internal hosts (#655)

Bug Fixes:

  • Add unique indexes to beaconFQDN and beaconProxy collections (#689)
  • Add additional indexes to host collection (#687)
  • Prevented duplicate threat intel records from being created in the host collection (#683)
  • Fixed a bug where threat intel records in the host collection were not being updated when using rolling imports (#683)
  • Fixed a bug where the max beacon score listed in the host collection for a pair of hosts would never decrease when using rolling imports (#683)
  • Fixed a bug where rare signature entries might not be added to the host collection due to a race condition (#683)
  • Fixed a bug where the connection counts for each host in the host collection were under-counted when using rolling imports (#683)
  • Removed unused/ broken code in max duration analysis (#683)

v4.3.1

2 years ago

Changes:

  • Extend Zeek TCP inactivity timeout (#660)
  • Remove Need for Users to Specify Proxy Servers, Fix Filter Bugs (#665)

Dev changes:

  • Clean up TODO and NOTE markers. Remove old ip index in host collection. (#622)
  • Update references from Mongo 3.6 to 4.2 (#661)

v4.3.0

2 years ago

Changes in v4.3.0

  • Handle Processing Long Connections that Haven't Closed (#647)
  • Update Mongo Version to 4.2 (#652)

Bug Fixes:

  • Fixed missing </td> in report-beacons.go and report-beaconsfqdn.go (#644)
  • Speed up beaconFQDN analysis (#638)

Documentation:

  • Fixed typo in docker compose documentation (#650)

Changes from v4.2.1 (pre-release):

  • Make --config a global option on rita command (#631)
  • Add support for detecting beacons behind HTTP proxies (#632)

Bug Fixes:

  • Remove invalid certificates from old chunks when using the rolling importer (#634)

v4.2.1

3 years ago

Changes:

  • Make --config a global option on rita command (#631)
  • Add support for detecting beacons behind HTTP proxies (#632)

Bug Fixes:

  • Remove invalid certificates from old chunks when using the rolling importer (#634)