Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.

Overview

RITA (Real Intelligence Threat Analytics) in Jupyter Notebook

RITA is an open source framework for network traffic analysis sponsored by Active Countermeasures

RITA-J is the implementation of RITA features in Jupyter Notebook. The goal is to support all types of Firewall/Proxy/DNS logs that are in CSV, TSV, or JSON format, and make it easy to analyze, hunt and detect potential C2 activity without installing additional hardware and other components to maintain.


The sample dataset was shared by Ali Alwashali (@ali_alwashali). It contains:

  • Zeek logs from malware-traffic-analysis.net PCAP files, from 2013 to 2021
  • Suricata alerts triggered by the PCAP analysis

Features

  • Beaconing Detection: Search for signs of beaconing behavior in and out of your network
  • DNS Tunneling Detection Search for signs of DNS based covert channels (TO DO)
  • Blacklist Checking: Query blacklists to search for suspicious domains and hosts (TO DO)
  • More features will be added

Requirements

Firewall/Proxy logs that are in CSV or JSON format. If the logs are not parsed, parsing is required before analysis.
The notebook(s) support CSV files. JSON requires manuel mapping. Some helpful resources for reading and parsing JSON files:

Acquiring Logs and Working with different log formats

There are several ways to acquire logs.

An example for converting Fortinet logs:
https://github.com/lucky-luk3/Infosec_Notebooks/blob/main/Forti_VPN_Logs_Analysis-Public.ipynb

Fortinet CSV log Converter

The script below may work with all log files that use key-value pair logging.
https://github.com/N4SOC/fortilogcsv

Install

Will be added

How to Use

Will be added

You might also like...
This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.
This is a Python program that implements a vacuum cleaner as an Artificial Intelligence.

Vacuum-Cleaner Python3 This is a Python3 agent that implements a simulator for a vacuum cleaner and it is introduction to Artificial Intelligence. A s

Python implementation of the diceware password generating algorithm.
Python implementation of the diceware password generating algorithm.

Diceware Password Generator - Generate High Entropy Passwords Please Note - This Program Do Not Store Passwords In Any Form And All The Passwords Are

Python implementation for PrintNightmare using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket.

PrintNightmare Python implementation for PrintNightmare (CVE-2021-1675 / CVE-2021-34527) using standard Impacket. Installtion $ pip3 install impacket

A python implementation of the windows 95 product key check.

Windows 95 Product Key Check Info: This is a python implementation of the windows 95 product key check. This was just a bit of fun and a massive 5 hou

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit relays only.

This is a partial and quick and dirty proof of concept implementation of the following specifications to configure a tor client to use trusted exit re

Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)
Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)

Pachine Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation). Installtion $ pip3 install impacket Usage Impacket v0.9.23 -

Official implementation of the paper
Official implementation of the paper "Backdoor Attacks on Self-Supervised Learning".

SSL-Backdoor Abstract Large-scale unlabeled data has allowed recent progress in self-supervised learning methods that learn rich visual representation

Comments
  • Document coefficients, used in the score formulas

    Document coefficients, used in the score formulas

    Would it be possible to either document or comment out all coefficients, used in the last part of the score calculation? For instance: http_df['dsMadmScore'] = 1.0 - (http_df['dsMadm'] / 128.0) or http_df['Score'] = (http_df['dsScore'] + http_df['tsScore']) / 2

    Why did you use specifically those values?

    I checked the same calculations in the original RITA analyzed source code and almost all coefficients are different. And they are not described too:)

    You did an awesome work here but it would great to understand your decisions. Thus, we can adapt your source code to other log sources, use cases etc.

    documentation 
    opened by poruchikrj 2
Owner
Mehmet E.
Cyb3rMonk
Mehmet E.
Android Malware (Analysis | Scoring) System

An Obfuscation-Neglect Android Malware Scoring System Quark-Engine is also bundled with Kali Linux, BlackArch. A trust-worthy, practical tool that's r

Quark-Engine 1k Jan 4, 2023
Agile Threat Modeling Toolkit

Threagile is an open-source toolkit for agile threat modeling:

Threagile 425 Jan 7, 2023
Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228

log4j-honeypot-flask Internal network honeypot for detecting if an attacker or insider threat scans your network for log4j CVE-2021-44228 This can be

Binary Defense 144 Nov 19, 2022
log4j-tools: CVE-2021-44228 poses a serious threat to a wide range of Java-based applications

log4j-tools Quick links Click to find: Inclusions of log4j2 in compiled code Calls to log4j2 in compiled code Calls to log4j2 in source code Overview

JFrog Ltd. 171 Dec 25, 2022
Threat Intel Platform for T-POTs

GreedyBear The project goal is to extract data of the attacks detected by a TPOT or a cluster of them and to generate some feeds that can be used to p

The Honeynet Project 72 Jan 1, 2023
Pgen is the best brute force password generator and it is improved from the cupp.py

pgen Pgen is the best brute force password generator and it is improved from the cupp.py The pgen tool is dedicated to Leonardo da Vinci -Time stays l

heyheykids 2 Jan 31, 2022
Get related domains / subdomains by looking at Google Analytics IDs

DomainRelationShips ██╗ ██╗ █████╗ ██╗██████╗ ██║ ██║██╔══██╗ ██║██╔══██╗ ██║ ██║█████

Josué Encinar 161 Jan 2, 2023
Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.

The Recon-ng Framework Recon-ng content now available on Pluralsight! Recon-ng is a full-featured reconnaissance framework designed with the goal of p

null 2.4k Jan 7, 2023
🔍 IRIS: An open-source intelligence framework

IRIS is an open-source OSINT framework, consisting of modules to find information about a target by scraping sites and fetching data from APIs.

IRIS 79 Dec 20, 2022
A collection of intelligence about Log4Shell and its exploitation activity

Log4Shell-IOCs Members of the Curated Intelligence Trust Group have compiled a list of IOC feeds and threat reports focused on the recent Log4Shell ex

Curated Intel 172 Nov 17, 2022