securityonion icon indicating copy to clipboard operation
securityonion copied to clipboard
verified publisher icon Security-Onion-Solutions

FEATURE: SNI beacons for RITA

Open maxwets opened this issue 2 years ago • 2 comments

Currently, the RITA module only parses the following files in /nsm/rita:

  • long-connections.csv
  • beacons.csv
  • exploded-dns.csv

RITA also supports the show-beacons-sni command (see RITA PR 739) that detects beaconing using TLS server name identification / HTTP Host.

maxwets avatar Dec 07 '23 14:12 maxwets

If you can provide sample logs we can look at including it in the future.

weslambert avatar Dec 07 '23 14:12 weslambert

I just made a PR for this issue. The output of rita show-beacons-sni is a CSV containing the following columns (this output is exactly the same as for show-beacons, except for the third column (SNI): Score,Source IP,SNI,Connections,Avg. Bytes,Total Bytes,TS Score,DS Score,Dur Score,Hist Score,Top Intvl

maxwets avatar Dec 07 '23 15:12 maxwets