activecm / rita

Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
https://www.activecountermeasures.com/free-tools/rita/
GNU General Public License v3.0
189 stars 22 forks source link

Add option to ignore attempted (but not successful) connections #29

Open Jeremy-Easi opened 2 months ago

Jeremy-Easi commented 2 months ago

We are facing RITA reporting a lot of detections for connections that are actually blocked by the firewall.

This is particularly annoying because these connections have very few information (no fqdn, no service) as zeek could not really see data to analyze (except initial SYN) so it's difficult to identity them to safely filter them out.

It would be interesting to have an option in the RITA config to not import entries from conn.log with a conn_state=0 (which means "Connection attempt seen, no reply") as this is typically a sign that the connection was blocked somewhere along the path (likely by the perimeter firewall).

I recognize that it may also mean that the C2 server is down, but whenever it would be UP and there would be connections, these logs would not be with a conn_state=0 anymore and hence would be processed by RITA. Moreover as it would be an option, one can decide to enable it or not.