RITA to detect beaconing

Comments

6 comments

  • Avatar
    Firewalla

    Does look interesting, someone in our team was playing with it, but not sure if it production ready.

    0
    Comment actions Permalink
  • Avatar
    Matt Niswonger

    Would it help prioritize development if I were to submit a feature request and it received enough votes?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    This is a harder project since I don't think many will understand the features provided by RITA. So voting may not work. Since this is a purely internal feature, I am going to directly send it to our developers and see if they can even do it. 

    0
    Comment actions Permalink
  • Avatar
    Matt Niswonger

    I think it would be a great advantage.  DNS tunneling is a problem and I think this would compliment the existing DNS options in Firewalla like Unbound and DoH.  It would be great to flag low hanging fruit like NULL queries, which have no legitimate reason to be happening on most networks and would be a good indicator for a compromised machine talking to a C&C server.  Beaconing is probably more of a concern for businesses who would be targeted, so I can understand how alerting for that might be confusing for some.  

    0
    Comment actions Permalink
  • Avatar
    James Bierly

    Having used Rita and Zeek professionally for a while, I would be happy to help the Firewalla team do some testing on this. 

    0
    Comment actions Permalink

Please sign in to leave a comment.