Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/cyb3r-monk/rita-j
Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.
https://github.com/cyb3r-monk/rita-j
cybersecurity data-science dfir jupyter-notebook threat-hunting
Last synced: 4 days ago
JSON representation
Implementation of RITA (Real Intelligence Threat Analytics) in Jupyter Notebook with improved scoring algorithm.
- Host: GitHub
- URL: https://github.com/cyb3r-monk/rita-j
- Owner: Cyb3r-Monk
- License: gpl-3.0
- Created: 2021-12-03T11:02:05.000Z (about 3 years ago)
- Default Branch: main
- Last Pushed: 2022-07-21T12:03:46.000Z (over 2 years ago)
- Last Synced: 2024-12-10T07:10:58.446Z (13 days ago)
- Topics: cybersecurity, data-science, dfir, jupyter-notebook, threat-hunting
- Language: Jupyter Notebook
- Homepage:
- Size: 11.8 MB
- Stars: 198
- Watchers: 18
- Forks: 28
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# RITA (Real Intelligence Threat Analytics) in Jupyter Notebook
RITA is an open source framework for network traffic analysis sponsored by [Active Countermeasures](https://activecountermeasures.com/)
**RITA-J** is the implementation of RITA features in Jupyter Notebook. The goal is to support all types of Firewall/Proxy/DNS logs that are in CSV, TSV, or JSON format, and make it easy to analyze, hunt and detect potential C2 activity without installing additional hardware and other components to maintain.
---
The sample dataset was shared by Ali Alwashali ([@ali_alwashali](https://twitter.com/ali_alwashali)). It contains:
- Zeek logs from malware-traffic-analysis.net PCAP files, from 2013 to 2021
- Suricata alerts triggered by the PCAP analysis## Features
- **Beaconing Detection**: Search for signs of beaconing behavior in and out of your network
- **DNS Tunneling Detection** Search for signs of DNS based covert channels (TO DO)
- **Blacklist Checking**: Query blacklists to search for suspicious domains and hosts (TO DO)
- **More features will be added**## Requirements
Firewall/Proxy logs that are in CSV or JSON format. If the logs are not parsed, parsing is required before analysis.
The notebook(s) support CSV files. JSON requires manuel mapping. Some helpful resources for reading and parsing JSON files:
- https://www.w3schools.com/python/pandas/pandas_json.asp
- https://towardsdatascience.com/how-to-parse-json-data-with-python-pandas-f84fbd0b1025
- https://towardsdatascience.com/how-to-convert-json-into-a-pandas-dataframe-100b2ae1e0d8
- https://www.scaler.com/topics/how-to-open-json-file-in-python/## Acquiring Logs and Working with different log formats
There are several ways to acquire logs.
- Reading from SIEM / DB / API
- https://infosecjupyterthon.com/workshops/day1/day1-2-Acquiring-data.html
- Export logs from SIEM in CSV/JSON
- Send logs to a Syslog server/connector -> parse -> export it to CSV/JSON file
- Export logs directly to a file, then convert it to CSV/JSONAn example for converting Fortinet logs:
https://github.com/lucky-luk3/Infosec_Notebooks/blob/main/Forti_VPN_Logs_Analysis-Public.ipynb### **Fortinet CSV log Converter**
The script below may work with all log files that use key-value pair logging.
https://github.com/N4SOC/fortilogcsv## Install
Will be added
## How to Use
Will be added