Set up Rita + Zeek + MongoDB

RITA is an open source framework for network traffic analysis. The framework ingests Zeek Logs in TSV format, and currently supports the following major features:

• Beaconing Detection: Search for signs of beaconing behavior in and out of your network
• DNS Tunneling Detection Search for signs of DNS based covert channels
• Blacklist Checking: Query blacklists to search for suspicious domains and hosts

https://github.com/activecm/rita

Note: RITA needs Zeek logs as input, and, MongoDB to build a database

How to set Up

Using the manual installation process (https://github.com/activecm/rita/blob/master/docs/Manual%20Installation.md)

MongoDB

MongoDB is a high-performance, open source, schema-free document-oriented data store that’s easy to deploy, manage and use. It’s network accessible, written in C++ and offers

the following features:

• Collection oriented storage – easy storage of object-style data
• Full index support, including on inner objects
• Query profiling
• Replication and fail-over support
• Efficient storage of binary data including large objects (e.g. videos)
• Auto-sharding for cloud-level scalability

1. Follow the steps below as indicated in GitHub

2. Check the vendor documentation (https://www.mongodb.com/docs/v4.2/installation/)

• We will install the Community Edition (https://www.mongodb.com/docs/v4.2/installation/#mongodb-community-edition-installation-tutorials)
• Choose the installation package that matches your server, in my case Debian

3. Follow the steps indicated in “Install MongoDB Community Edition” section, Import the public key used by the package management system. We should get “OK” as response

• wget -qO – https://www.mongodb.org/static/pgp/server-4.2.asc | sudo apt-key add –

Note: if you receive an error indicating that gnupg is not installed, you can

• sudo apt-get install gnupg

4. Create a /etc/apt/sources.list.d/mongodb-org-4.2.list file for MongoDB.

• echo “deb http://repo.mongodb.org/apt/debian buster/mongodb-org/4.2 main” | sudo tee /etc/apt/sources.list.d/mongodb-org-4.2.list

5. Issue the following command to reload the local package database:

• sudo apt-get update

6. Install the MongoDB packages.

• sudo apt-get install -y mongodb-org

7. Start MongoDB

• sudo systemctl start mongod
• sudo systemctl status mongod

Note: If you receive an error similar to the following when starting mongod:

• Failed to start mongod.service: Unit mongod.service not found.

Run the following command first:

• sudo systemctl daemon-reload

8. (OPTIONAL) You can ensure that MongoDB will start following a system reboot by issuing the following command:

• sudo systemctl enable mongod

9. Stop/Restart MongoDB

• sudo systemctl stop mongod
• sudo systemctl restart mongod

RITA

1. Follow the steps below as indicated in GitHub (https://github.com/activecm/rita/blob/master/docs/Manual%20Installation.md)

2. Download the RITA binaries

• cd /opt
• sudo git clone https://github.com/activecm/rita.git
• cd rita && ls -l

3. Compile the files using “make” & “make install” commands

• sudo make
• sudo make install

4. Now that it successfully compiled and installed, we can run rita as test

• rita –version
• rita

5. RITA requires a few directories to be created for it to function correctly.

• sudo mkdir /etc/rita && sudo chmod 755 /etc/rita
• sudo mkdir -p /var/lib/rita/logs && sudo chmod -R 755 /var/lib/rita

6. Copy the config file from your local RITA source code.

• sudo cp etc/rita.yaml /etc/rita/config.yaml && sudo chmod 666 /etc/rita/config.yaml

7. Using RITA again we don’t get the config.yaml error

• sudo rita –version

8. Test the config

• rita test-config

ZEEK

Zeek is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity.

1. Follow the steps below as indicated in GitHub (https://github.com/activecm/rita/blob/master/docs/Manual%20Installation.md)

2. Visit Zeek documentation

• https://docs.zeek.org/en/master/
• Go to “Get Started” -> “installing Zeek” (https://docs.zeek.org/en/master/install.html)

3. Make sure that you meet the pre-requisites, if you don’t or don’t know, scroll down and find “To install the required dependencies, you can use:” section, I’ll use Debian’s dependencies installation

• sudo apt-get install cmake make gcc g++ flex bison libpcap-dev libssl-dev python3 python3-dev swig zlib1g-dev -y

4. Now install Zeek

• sudo apt install zeek -y

5. Check zeek has been installed

• zeek -v
• zeek -h

6. We now need to get zeek-cut tool, which is very important to manage the pcap. Visit https://github.com/zeek

• Search for for zeek-aux within the repositories (https://github.com/orgs/zeek/repositories)

7. Now proceed to download the zeek-aux code (https://github.com/zeek/zeek-aux) to install “zeek-cut” command. zeek-cut extracts the given columns from ASCII Zeek logs on standard input, and outputs

them to standard output.

• cd /opt
• git clone https://github.com/zeek/zeek-aux.git
• cd zeek-aux && ls -l

8. Now, we need to compile these binaries, for this we will need “cmake” which can be found in https://github.com/zeek/cmake, download the files within the zeek-aux folder

• sudo git clone https://github.com/zeek/cmake.git

Note: This is a collection of CMake scripts intended to be included as a

git submodule in other repositories related to Zeek

9. Now run it

• sudo ./configure
• sudo make
• sudo make install
• sudo updated

10. In order to locate the executable use

• locate zeek-cut
• file /usr/local/zeek/bin/zeek-cut
• sudo cp /usr/local/zeek/bin/zeek-cut /usr/bin

11. Verify zeek-cut can be now run as a command

• zeek-cut -h

Cheat sheet

The tool is ready to use. Here you have some ZEEK commands that you can use (https://github.com/corelight/bro-cheatsheets)