search

activecm / rita-legacy

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
GNU General Public License v3.0
2.51k stars 361 forks source link

'Failed to connect to database: no reachable servers' using official docker image #796

Open HeroS3c-new opened 1 year ago

HeroS3c-new commented 1 year ago

I get this error: Failed to connect to database: no reachable servers when using the official docker hub image. command: docker run quay.io/activecm/rita import pcap_to_log

pcap_to_log is a folder that contains all log files generated from a pcap using zeek.

output of ls -l pcap_to_log:

-rw-r--r-- 1 loris loris 280 Apr 15 15:57 capture_loss.log -rw-r--r-- 1 loris loris 2044 Apr 15 15:57 conn.2023-04-13-14-27-52.log -rw-r--r-- 1 loris loris 733 Apr 15 15:57 conn.log -rw-r--r-- 1 loris loris 1118 Apr 15 15:57 dns.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 4063 Apr 15 15:57 files.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 2843 Apr 15 15:57 http.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 28021 Apr 15 15:57 loaded_scripts.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 254 Apr 15 15:57 packet_filter.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 707 Apr 15 15:57 stats.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 719 Apr 15 15:57 stats.log -rw-r--r-- 1 loris loris 1157 Apr 15 15:57 telemetry.2023-04-13-14-27-47.log -rw-r--r-- 1 loris loris 1157 Apr 15 15:57 telemetry.log

I'm on Manjaro (Linux loris-laptop 5.15.106-1-MANJARO #1 SMP PREEMPT Wed Apr 5 09:58:14 UTC 2023 x86_64 GNU/Linux)

Zalgo2462 commented 1 year ago

Hello, please check out https://github.com/activecm/rita/blob/master/docs/Docker%20Usage.md

We recommend using docker compose in order to easily link together RITA and MongoDB.

You will first need a copy of the RITA configuration file. A copy can be found at https://raw.githubusercontent.com/activecm/rita/master/etc/rita.yaml

Next, edit that configuration file to ensure the internal subnets match your own. (See these lines) If you are using standard RFC1918 internal subnets, you may skip this step.

Then, grab a copy of the docker-compose file at https://raw.githubusercontent.com/activecm/rita/master/docker-compose.yml

Finally, run the following in the directory with the docker-compose.yml file:

export CONIFG=/path/to/your/rita/config.yaml
export LOGS=/path/to/pcap_to_log
docker compose run --rm rita import /logs dataset-name

That should kick off an import. From there, you can interrogate the data with commands like

docker compose run --rm rita show-beacons -H dataset-name
Nissen96 commented 1 year ago

This does not work on my Kubuntu installation, I get Failed to connect to database: no reachable servers:

docker compose run --rm rita import /logs hunt
[+] Running 10/10
 ✔ db 9 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿]      0B/0B      Pulled                                  89.9s
   ✔ 41af1b5f0f51 Pull complete                                                      20.8s
   ✔ 827435b23065 Pull complete                                                       2.5s 
   ✔ 0fcd25440a99 Pull complete                                                      21.5s
   ✔ 470027a21f64 Pull complete                                                      10.2s
   ✔ 56445177dcba Pull complete                                                      11.8s
   ✔ 94c14c6528a6 Pull complete                                                      12.9s
   ✔ 639a84cbfe37 Pull complete                                                      14.1s
   ✔ 300a296c539e Pull complete                                                      83.2s
   ✔ 5d03d7302312 Pull complete                                                      19.5s
[+] Creating 2/2
 ✔ Volume "train_db"     Created                                                      0.0s
 ✔ Container train-db-1  Created                                                      0.1s
[+] Running 1/1
 ✔ Container train-db-1  Started                                                      0.7s
[+] Running 3/3
 ✔ rita 2 layers [⣿⣿]      0B/0B      Pulled                                          7.7s
   ✔ 8f2b33455d22 Pull complete                                                       1.1s
   ✔ dc3464d53a27 Pull complete                                                       4.4s
Failed to connect to database: no reachable servers

I have Docker version 24.0.5, and I have followed all the steps you provided (fetching config file and docker-compose.yml setting env vars with export). The default internal subnets should be fine for me. I am using Ubuntu 23.04 (lunar) with kernel 6.2.0-33-genericand got the same issue running it without docker with a local mongodb, but I assumed it would work out of the box with Docker when fetching the correct mongo image.

Any idea what goes wrong here?

dspruell commented 3 months ago

One thing that might be at play here is not having the Dockerized configuration in use, since a successful DB connection depends on resolving the database via a container name. RITA has two default configurations to choose from in etc/, and the difference is in the connection spec:

--- rita.yaml   2024-06-15 11:40:39.833925486 -0700
+++ rita_docker.yaml    2024-06-15 11:40:39.833925486 -0700
@@ -1,7 +1,7 @@
 # This section configures the connection to the MongoDB server and the database name to use
 MongoDB:
   # See https://docs.mongodb.com/manual/reference/connection-string/
-  ConnectionString: mongodb://localhost:27017
+  ConnectionString: mongodb://db:27017
   # Example with authentication. Be sure to change the AuthenticationMechanism as well.
   # ConnectionString: mongodb://username:password@localhost:27017