search

activecm / rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
https://www.activecountermeasures.com/free-tools/rita/
GNU General Public License v3.0
189 stars 22 forks source link

issue with internal to internal connections filtering #24

Open David-Aires opened 2 months ago

David-Aires commented 2 months ago

Architecture

My project is made up of several docker containers, the DB (clickhouse), rita and zeek. A volume is shared between the Rita and Zeek containers in order to access the logs.

A cron is run every hour to import the logs into Rita. For the import, I only take the zeek logs folder of the day in order to have only 24h in Rita (the rolling option is also well set).

Issue

When I return the RITA results, I see internal connections, but these should not be included because they are in the config.hjson file.

My RITA config

internal_subnets: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "fd00::/8"], # Private-Use Networks  RFC 1918 and ULA prefix

Results of RITA (CSV)

Medium,192.168.67.69,::,4.sophosxl.net:443,0.35,false,17848.13,0.4478907,0,0,false,0.27994618,13 hours ago,false,127,9507215,"8190:tcp:http,ssl",""
Medium,192.168.69.73,::,4.sophosxl.net:443,0.318,false,15246.996,0.41176385,0,0,false,0.27994618,13 hours ago,false,129,7049999,"8190:tcp:http,ssl",""
Medium,192.168.254.80,::,4.sophosxl.net:443,0.406,false,14735.466,0.40465924,0,0,false,0.27972972,13 hours ago,false,95,10812735,"8190:tcp:http,ssl",""
Medium,192.168.65.148,::,4.sophosxl.net:443,0.694,false,2762.3132,0,0,0,false,0.27972972,13 hours ago,false,41,346934,"8190:tcp:http,ssl",""
Medium,192.168.68.254,::,4.sophosxl.net:443,0.281,false,13474.015,0.38285214,0,0,false,0.27994618,13 hours ago,false,92,8170519,"8190:tcp:http,ssl",""

In the http log file, you can see that this is a connection between two private ip addresses

HTTP.log (ZEEK)

{"ts":"2024-08-19T00:04:07.612765Z","uid":"CePxkz1XSjCGti52J8","id.orig_h":"192.168.67.69","id.orig_p":51559,"id.resp_h":"192.168.65.103","id.resp_p":8190,"trans_depth":1,"method":"CONNECT","host":"4.sophosxl.net:443","uri":"4.sophosxl.net:443","version":"1.0","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"Connection Established","tags":[]}
{"ts":"2024-08-19T00:00:27.157391Z","uid":"Ce9SSN1xNdTCFXSYJb","id.orig_h":"192.168.69.73","id.orig_p":51553,"id.resp_h":"192.168.65.103","id.resp_p":8190,"trans_depth":1,"method":"CONNECT","host":"4.sophosxl.net:443","uri":"4.sophosxl.net:443","version":"1.0","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"Connection Established","tags":[]}
{"ts":"2024-08-19T00:06:52.513159Z","uid":"CzSx8H2T8WTG93K2Yi","id.orig_h":"192.168.254.80","id.orig_p":63101,"id.resp_h":"192.168.65.103","id.resp_p":8190,"trans_depth":1,"method":"CONNECT","host":"4.sophosxl.net:443","uri":"4.sophosxl.net:443","version":"1.0","request_body_len":0,"response_body_len":0,"status_code":200,"status_msg":"Connection Established","tags":[]}