rita icon indicating copy to clipboard operation
rita copied to clipboard

Published 20 hours ago verified publisher icon activecm

Documentation for RITA output

Open ethack opened this issue 6 years ago • 2 comments

Specifically, the beacon output has tables with obtuse labels, but other modules would benefit as well.

When you run "rita show-beacons", you get a nifty report with the column titles: Score,Source,Destination,Connections,Avg Bytes,TS Range,DS Range,TS Mode,DS Mode,TS Mode Count,DS Mode Count,TS Skew,DS Skew,TS Dispersion,DS Dispersion,TS Duration

  • How are the values generated?
  • What values represent good or bad? (example: score close to 1.0 is a beacon, score close to 0 is not).

ethack avatar Nov 28 '18 21:11 ethack

Do we want a markdown document in the docs folder that runs through all the show commands, or on the --help for each show command, or something else?

carrohan avatar Jul 26 '19 16:07 carrohan

I would argue in favor of a Markdown document under the docs folder. I think that's the whole point of it !

Maybe out of topic here, but one could also expect to find some documentation on the internals / processes of the analyzer part (for beaconing).

Spriithy avatar Jan 03 '20 09:01 Spriithy