search

activecm / rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
https://www.activecountermeasures.com/free-tools/rita/
GNU General Public License v3.0
184 stars 22 forks source link

rita won't run unless there's a terminal #20

Open william-stearns opened 2 months ago

william-stearns commented 2 months ago

Rita (happens to be 5.0.7) runs fine when it's on an actual logged-in terminal. When run in the background, perhaps as a cron job, one gets the following errors: 

ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to display progress for connection correlationESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"could not open a new TTY: open /dev/tty: no such device or address"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling SSL connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link open ssl connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling SSL connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link ssl connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[33mWRNESC[0m ESC[1mcancelling HTTP connection linkingESC[0m
ESC[90m2024-08-13T15:45:17ZESC[0m ESC[31mERRESC[0m ESC[1munable to link http connectionsESC[0m ESC[36merror=ESC[0mESC[31mESC[1m"context canceled"ESC[0mESC[0m

        [!] could not perform connection linking: unable to display progress for connection correlation: could not open a new TTY: open /dev/tty: no such device or address

 Container rita-rita-1  Stopping
 Container rita-rita-1  Stopped

(reported by SL and CB). We confirmed that the same command ran fine and finished importing when run on an ssh connection.

It's not clear to me whether the "cancelling SSL connection linking", "unable to link open ssl connections" is related to this or not.

william-stearns commented 2 months ago

Possibly relevant issue: https://github.com/charmbracelet/bubbletea/issues/761

william-stearns commented 2 months ago

There appears to be a workaround by using the "screen" utility's ability to provide a (detachable) terminal. Instead of running "rita import ...." one can run "screen -S importer -d -m rita import ....". (Tested by CB)