Zalgo2462
commented
1 year ago - The SSL log filter did not check the FQDN in each entry against the always and never include lists in the filter. This has been fixed. SNI beacons and JA3 hashes can now be excluded by hostname.
- The DNS log filter did not filter out internal -> internal traffic or external -> internal traffic. This was originally implemented to ensure that traffic to internal DNS resolvers was analyzed. However, this was implemented before we had the always include list. This PR ensures that the DNS log filter matches the associated Conn log filter on the IP level. When deploying RITA, any internal DNS resolvers should always be added to the IP always include list.