search

activecm / rita-legacy

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
GNU General Public License v3.0
2.51k stars 362 forks source link

csv output? #580

Open bekirk opened 4 years ago

bekirk commented 4 years ago

I have noticed that in previous versions of 3, particularly 3.0.6, (I know I haven't upgraded in some time...) the output for various commands, show commands put quotations around fields that contain spaces or comma. However in 3.3.1 this is not the case:

`rita@rita:/opt/rita/20200806$ tail -2 useragents_3.0.6.log "Mozilla/5.0 (iPhone; CPU iPhone OS 12_4_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.1.2 Mobile/15E148 Safari/604.1",1 474cbfc664a2e9f8a8f2fb9fcb09023d,1

rita@rita:/opt/rita/20200806$ tail -2 useragents_3.3.1.log 8576125549d965101e9b34bb5b074566,1 Mozilla/5.0 (iPhone; CPU iPhone OS 13_5_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Mobile/15E148##ad-x-identifier##<creative#9>##max-request-count##100##ad-s-identifier##<Flexible#19>,1

rita@rita:/opt/rita/20200806$ tail -2 long-conns_3.0.6.log 10.11.20.16,72.35.23.4,"25:tcp:ssl,smtp 25:tcp:smtp,ssl",66.007 10.11.20.13,207.164.235.133,"25:tcp:smtp,ssl",60.8013

rita@rita:/opt/rita/20200806$ tail -2 long-conns_3.3.1.log 10.11.20.16,72.35.23.4,25:tcp:smtp,ssl 25:tcp:ssl,smtp,66.007 10.11.20.13,207.164.235.133,25:tcp:smtp,ssl,60.8013`

I probably can fix this in current code and recompile but I was hoping that this could be something corrected in the code so going forward I wouldn't need to add it back in. I think this might have been an issue for me in a previous version of rita, and it got fixed, but then somewhere along the way changed back.

Thank you, Brian

ethack commented 4 years ago

That would be from https://github.com/activecm/rita/pull/573. I ran a comparison between the outputs before that was merged, but now I see that my dataset didn't have any entries with commas in a field like yours does.

Would it work for your use case to specify a different delimiter using the -d flag? e.g. rita show-useragents -d '|' dataset

bekirk commented 4 years ago

I could probably make that work. Easier than trying to re-parse the fields that have commas in them.

Thank you, Brian

On Fri, Aug 7, 2020 at 5:49 PM ethack notifications@github.com wrote:

That would be from #573 https://github.com/activecm/rita/pull/573. I ran a comparison between the outputs before that was merged, but now I see that my dataset didn't have any entries with commas in a field like yours does.

Would it work for your use case to specify a different delimiter using the -d flag? e.g. rita show-useragents -d '|' dataset

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/activecm/rita/issues/580#issuecomment-670726370, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA4MD3QJDB2YAZMTZBWKUCTR7RZHPANCNFSM4PX5RRJQ .