Logan Lembke

Sadly Critical Stack has quit developing on their Bro/ Zeek projects: https://github.com/criticalstack/bro-scripts We will need to find an alternative source of zeek scripts for populating the intel log.

MISP looks interesting for aggregating threat intel feeds and integrating them with Zeek: https://www.misp-project.org/ It looks like there are two integration libraries which handle notifying Zeek of new threat intel...

We should consider storing an observation period for each unique connection. Then, we could filter over those to find the total observation period for the dataset. The beginning of the...

Hello, in order to detect network beacons associated with an external IP, RITA needs to analyze the Zeek `conn.log` (https://docs.zeek.org/en/master/logs/conn.html). In addition, to detect network beacons associated with an FQDN,...

A partial fix was introduced in #484, however the fix was not amended after PR review. I have closed #484, but the changes there will likely be helpful for anyone...

https://github.com/ocmdev/bro-mongodb Work has begun on a Bro to MongoDB plugin. Currently it does not support rolling over databases day by day. Additionally, #150 blocks the use of the plugin.

This is the solution we are using over in IPFIX-RITA ``` func (f *filtering) parseSubnetList(netList []string) ([]net.IPNet, []error) { var errorList []error var nets []net.IPNet for j := range netList...

Thank you for your report. I am able to reproduce this issue. We will reply here when we figure out what is causing the issue. Steps to reproduce the issue:...

It looks like there is an issue with the alias to localhost used by the RITA container to contact the database container. Until we push up a proper fix, you...

For example we might run the following commands for updating `host` in FQDN beaconing: ``` // push a new entry in if an entry doesn't exist for the current CID...