custom html-report output location

[gigawatts]

An option to specify what dir these reports get created in would be very helpful.

Right now they output to either /rita-html-report (if multiple DBs) or to /your-db-name if only one DB is specified. The problem with this, especially when using the provided docker container, is that you can't output it to a volume mounted / mapped outside of the container.

If I try to create a volume mount at either of the above mentioned dirs, rita just creates a /rita-html-report1 or /your-db-name1 dir and puts them there instead. That means the ONLY current way to retrieve those reports is to user a docker cp command to copy the files out of the container volume. If the path the reports dump to MUST be hard-coded, and not user choosable, at least put them inside a dir that is not /, such as /output/, or /reports/, so that base directory can be mounted / mapped as an external volume.

[ethack]

Thank you for your suggestion! This should be doable, though the it may take some time. An easier fix we could do right away is change the default working directory in the docker container so the report gets created there instead of in root, as you suggested.

Sounds like you have a workaround with docker cp but if you'd like a different one you can use the --workdir option in docker (or the working_dir equivalent in docker-compose) to manually change the working directory. Combine that with mounting a base directory for the report to an external volume like you already tried and it should work. I used /tmp/ inside the container and mounted ./report/ from my host for instance.

e.g.

# note this omits the needed rita config file mapping
docker run --workdir /tmp/ --volume `pwd`/report/:/tmp/ quay.io/activecm/rita html-report dataset

[gigawatts]

Ah, wasn't aware of that workdir option, I'll give that a shot. Thanks!

[gigawatts]

Changing the default workdir worked great, and technically solves this issue. I'll leave it up to you if you want to close this issue as is, or leave it open for the "feature request" (or close and open another). I would however suggest adding this workdir option to the usage instructions, as that is a handy thing to know.

Thanks again!

[gigawatts]

Another sort of related issue. I've imported a dataset that, after processing, only contains information about user-agents.

[+] Importing [/logs]:
[-] Verifying log files have not been previously parsed into the target dataset ...
[-] Parsing logs to: my-dataset ...
[-] Parsing /logs/http.log -> my-dataset
[!] No Host data to analyze
    [!!] No local network traffic found, please check InternalSubnets in your RTIA config (/etc/rita/config.yaml)
[!] No Uconn data to analyze
    [!!] No local network traffic found, please check InternalSubnets in your RTIA config (/etc/rita/config.yaml)
[!] No DNS data to analyze
[!] No Hostname data to analyze
[!] No Beacon data to analyze
[-] UserAgent Analysis:       4949 / 4949  [==================] 100 %
[!] No certificate data to analyze
[-] Indexing log entries ...
[-] Updating metadatabase ...
[-] Done!

Running the "show-useragents" command returns a list of user-agents from the db, as expected.

But when running an html-report on this db, it creates several blank files (beacons, dns, bl-source, bl-destination, bl-hostnames) and fails to create several files entirely (strobes, long connections, useragents), resulting in 404 responses.

[ethack]

I think you might be running into this issue: https://github.com/activecm/rita/issues/493 I don't have a workaround though as I think we just need that issue fixed.

[ethack]

Rather than opening a new issue, I'll summarize what I see as the steps that can close this one:

• [x] Add an option on html-report to specify what directory html reports get created
• [x] Change docker default workdir to /tmp/
• [ ] Add documentation around mounting in a directory into docker in order to easily get reports out of the container