Intro
Back in 2017, Active Countermeasures and Black Hills Information Security released RITA, an open-source project that seeks out malicious payload beaconing and scanning behavior through ingesting and analyzing Zeek logs. Since then, we’ve had a great number of users cloning our project on GitHub for their own installs. We’ve also had quite a few requests for customizing input and/or output. Adding your own customizations and contributing to RITA is not as daunting as it seems. Many have shared the feeling that they’d need to sit down and learn Go before being able to add their own feature. This blog post is here to assure you that learning Go is not a requirement. So, come bring your tinkering hats and let’s get started on contributing to RITA!
Code Structure
RITA is written in Golang (Go), a compiled language written by Google that has good support for concurrency, which is useful for importing and analyzing datasets with RITA.The repository is made up of several folders, each containing their own modules that handle specific tasks. The following image displays the file structure of the repository. The highlighted folders are the folders that you’d most likely touch if you were to add a new feature. The non-highlighted folders contain boilerplate and configuration code that will most likely not need to be changed.
The RITA mongo database structure is comprised of one metadatabase and individual databases with their own datasets. Each individual database is named by the user upon importing logs.
The metadatabase contains a database collection. Within the database collection there is one document per database that contains details about the database that might be useful during debugging failed or broken analysis results.
Support the originator by clicking the read the rest link below.
