An open-source framework for detecting command and control communication through network traffic analysis using Zeek logs.
RITA (Real Intelligence Threat Analytics) is an open-source framework for network traffic analysis that detects command and control communication and other security threats. It ingests Zeek logs to identify beaconing behavior, long connections, DNS tunneling, and suspicious domains through threat intelligence feeds. The tool helps security teams analyze network traffic for signs of malicious activity in an automated and scalable way.
Security analysts, network defenders, and cybersecurity professionals who need to monitor and analyze network traffic for threat detection. It is also suitable for organizations running Zeek for network security monitoring.
RITA provides a free, open-source alternative to commercial threat analytics platforms, offering specialized detection for command and control communications. Its integration with Zeek logs and support for Docker-based deployment make it accessible and easy to set up for automated network traffic analysis.
Real Intelligence Threat Analytics (RITA) is a framework for detecting command and control communication through network traffic analysis.
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.
Automatically identifies beaconing, long connections, and DNS tunneling from Zeek logs, with configurable scoring as highlighted in the Configuration section.
Uses GitHub-style search fields like src, dst, and beacon score with operators for precise filtering, as demonstrated in the README examples.
Queries external threat intelligence feeds to flag suspicious domains and hosts, enhancing detection capabilities as a core feature.
Supports CSV output via the --stdout flag for further analysis in other tools, making it practical for reporting and integration.
Relies entirely on Zeek for log generation, adding setup complexity and dependency management, as installation requires docker-zeek.
Only supports specific Linux distributions (CentOS 9, Rocky 9, RHEL 9, Ubuntu 22.04/24.04) on amd64, excluding many common platforms.
Handling datasets over 24 hours old requires careful use of the --rolling flag to avoid incorrect results, as warned in the README.
Lacks a web-based GUI, relying solely on terminal UI and CSV output, which may not suit teams preferring visual dashboards.