search

brimdata / zui

Zui is a powerful desktop application for exploring and working with data. The official front-end to the Zed lake.
https://www.brimdata.io/download/
Other
1.8k stars 132 forks source link

Include RITA in Brim #1966

Open Ondjultomte opened 2 years ago

Ondjultomte commented 2 years ago

Before opening a new issue, please make sure you've reviewed the troubleshooting guide: https://github.com/brimdata/brim/wiki/Troubleshooting#opening-an-issue

Describe the solution you'd like Would it be possible to include RITA somehow ? after zeek data is calculated, run rita for beaconing etc.?

philrz commented 2 years ago

@Ondjultomte: Apologies for the delay in responding to your issue.

In the time since your issue was filed, the core Brim development team has been investing their time primarily in expanding the platform to be applicable to general data beyond just security. As a result, there's not currently resources available to invest in security-centric features such as including RITA as a bundled part of Brim.

That said, given the project's history and the interest from users, we're also very much in favor of folks with the most security expertise (i.e., the traditional Brim user community 😄) pursing these kinds of enhancements, and we're ready to help make that possible. To that end, I think someone could make an interesting project from your idea. For instance, Brimcap is bundled with Brim to handle the turning of pcaps into Zeek/Suricata data, and there's a Custom Brimcap Config article in the Brimcap wiki that describes how to make Brimcap invoke customized Zeek/Suricata installs or pcap-processing tools beyond just Zeek & Suricata. I think invoking RITA could be added as a step in a "Zeek wrapper" after the logs are generated, after which the RITA output could potentially be shaped and pushed into a pool.

A different approach might be for someone familiar with the RITA detection logic to implement the equivalent using the Zed language. That would allow the skipping of installing the RITA software itself, plus it would make it easy to do the beacon detection if you already had Zeek logs rather than generating them from pcaps.

We'll hold this issue open so that users may find it and perhaps be inspired to take up the effort. If anyone needs assistance, our public Slack is always a good place to find us. Thanks for your interest in the projects!