RITA to detect beaconing

Follow

Matt Niswonger

• September 30, 2022 02:36

Does Firewalla have plans to implement RITA to ingest Zeek logs to detect beaconing and DNS tunneling?  I realize this may be something that's more resource intensive than the lower end boxes can support, but it would be a great feature on more business centric models (i.e. Gold and Gold Plus).

https://github.com/activecm/rita

8

• 

  Ryan Hopkins

  • September 30, 2022 02:49

  ELI5: https://www.activecountermeasures.com/threat-hunting-over-the-network-with-zeek-and-rita/

  0

  Comment actions Permalink
• 

  Firewalla

  • September 30, 2022 04:15

  Does look interesting, someone in our team was playing with it, but not sure if it production ready.

  0

  Comment actions Permalink
• 

  Matt Niswonger

  • September 30, 2022 12:07

  Would it help prioritize development if I were to submit a feature request and it received enough votes?

  0

  Comment actions Permalink
• 

  Firewalla

  • September 30, 2022 16:29

  This is a harder project since I don't think many will understand the features provided by RITA. So voting may not work. Since this is a purely internal feature, I am going to directly send it to our developers and see if they can even do it. 

  0

  Comment actions Permalink
• 

  Matt Niswonger

  • September 30, 2022 17:13

  I think it would be a great advantage.  DNS tunneling is a problem and I think this would compliment the existing DNS options in Firewalla like Unbound and DoH.  It would be great to flag low hanging fruit like NULL queries, which have no legitimate reason to be happening on most networks and would be a good indicator for a compromised machine talking to a C&C server.  Beaconing is probably more of a concern for businesses who would be targeted, so I can understand how alerting for that might be confusing for some.  

  0

  Comment actions Permalink
• 

  James Bierly

  • November 17, 2022 01:48

  Having used Rita and Zeek professionally for a while, I would be happy to help the Firewalla team do some testing on this. 

  0

  Comment actions Permalink
• 

  David

  • March 09, 2023 00:33

  Any progress with this feature?

  0

  Comment actions Permalink
• 

  James Bierly

  • March 09, 2023 01:05

  David, we just wrapped up testing Firewalla with the new Community Edition of AC-Hunter at my company. It works with minimal effort on the Firewalla side if you host it elsewhere. Our next step would be to install it locally in the Docker instance. 
  
  I will have a blog post coming soon on the work but for now here is the link to the free version of AC-Hunter. 
  AC-Hunter™ Community Edition - Active Countermeasures

  3

  Comment actions Permalink
• 

  David

  • March 19, 2023 20:54

  Sounds great, will be useful to see the blog post when you are done. What additional functionally do you like with AC-Hunter over the standard firewalla alerts. 

  1

  Comment actions Permalink
• 

  David

  • June 19, 2023 21:30

  James, do you have a link to your blog post/tutorial?

  2

  Comment actions Permalink

Please sign in to leave a comment.