Tools

T1071

RITA

A practical guide to RITA (Real Intelligence Threat Analytics) for SOC analysts — beacon detection, C2 pattern analysis, installation, configuration, and integrating RITA into your network monitoring pipeline.

View on Graph

What RITA Is and Why Analysts Use It

  • RITA (Real Intelligence Threat Analytics) is an open-source framework developed by Active Countermeasures and now maintained by SsoT AG. It analyzes Zeek logs to identify malicious network behavior using statistical analysis rather than signatures.
  • MITRE ATT&CK maps RITA’s core detection function to T1071 (Application Layer Protocol) — RITA specializes in finding the network-traffic patterns that indicate C2 communication, regardless of the specific protocol or payload.
  • Unlike Snort and Suricata which match fixed signatures, RITA uses behavioral analysis: it calculates beacon timing intervals, measures connection duration consistency, analyzes DNS query entropy, and flags long-lived connections that deviate from baseline norms.
  • RITA outputs scored results — a score of 0.8+ on a beacon is a strong C2 indicator — letting analysts prioritize the most likely malicious traffic.

Installation and Configuration

Installation

# Linux — from source
git clone https://github.com/activecm/rita.git
cd rita
./install.sh

# Or via Docker:
docker pull activecm/rita

# Requirements: MongoDB (for storing analysis results) + Zeek logs as input

Basic Configuration

RITA reads its configuration from /etc/rita/config.yaml (or ~/.rita/config.yaml):

# RITA Configuration
MongoDB:
  Host: "localhost"
  Port: 27017
  Username: ""      # optional
  Password: ""      # optional
  Database: "rita"
  ResultTable: "analysis"

Filtering:
  AlwaysInclude: []        # IP ranges to always analyze
  InternalSubnets:         # Your internal networks
    - "10.0.0.0/8"
    - "172.16.0.0/12" 
    - "192.168.0.0/16"
  AlwaysExclude:           # IPs/Domains to skip (known-good services)
    - "8.8.8.8"
    - "1.1.1.1"
    - "*.microsoft.com"
    - "*.google.com"

Beaconing:
  DefaultConnectionThresh: 20     # Minimum connections in a beacon
  DefaultConnectionWindow: 60     # Connection window in seconds
  Score: 0.8                      # Beacon score threshold (0-1)

Rolling:
  RollingIPSize: 1000             # Rolling window for IP scoring

Importing Zeek Logs

RITA requires Zeek (conn.log, dns.log, http.log, ssl.log) as input:

# Import a single directory of Zeek logs
rita import /usr/local/zeek/logs/2026-05-22/

# Import recursively through directory tree
rita import /usr/local/zeek/logs/ --recursive

# Check import status
rita check

# List imported datasets
rita list

Beacon Detection — The Core Feature

RITA’s beacon detection is its primary value. It analyzes every conn.log entry to find hosts that communicate with a remote IP at regular intervals.

How Beacon Scoring Works

RITA assigns each source/destination pair a beacon score from 0.0 (random) to 1.0 (perfectly periodic). The score is calculated from:

FactorWhat It MeasuresScoring
Connection countHow many connections between the pairMore connections = higher confidence
Interval regularityStandard deviation of connection intervalsLow jitter = higher score
Connection durationConsistency of connection lengthConsistent short durations = C2-like
Data volumeBytes transferred per connectionSmall, consistent payloads = beacon
Protocol consistencySame port and protocol each timeUniform protocol = higher score

Interpreting Beacon Scores

Score RangeMeaningAction
0.8 - 1.0Strong beacon — almost certainly C2Immediate investigation, host isolation
0.6 - 0.8Likely beacon — warrants priority investigationDeep dive: check host EDR, correlate with DNS
0.4 - 0.6Possible beacon — may be legitimate (software updates, API polls)Review context, check destination reputation
0.2 - 0.4Weak signal — unlikely but keep on radarDocument, check if the pattern changes
0.0 - 0.2Random connections — not a beaconIgnore

Running Beacon Analysis

# Analyze all imported datasets
rita analyze

# Analyze a specific dataset
rita analyze --dataset "dataset_name"

# Show beacon results
rita show-beacons --dataset "dataset_name"

# Export beacon results to CSV
rita show-beacons --dataset "dataset_name" --csv > beacons.csv

# Show human-readable beacon summary
rita show-beacons-human --dataset "dataset_name"

RITA Beacon Output

Score    Source IP        Dest IP         Dest Port  Connections  Avg Bytes    Interval   Jitter
0.93     10.0.1.45        185.220.101.45  443        142          512          60.1s      2.3s
0.87     192.168.1.102    203.0.113.50    80         89           768          120.3s     8.1s
0.72     10.0.3.22        198.51.100.75   443        45           1024         300.5s     45.2s

The first row (score 0.93) is a textbook Cobalt Strike beacon: 142 connections, ~512 bytes each, consistent 60-second interval with 2.3s jitter.

DNS Analysis — Tunneling and DGA Detection

DNS Tunneling Detection

RITA detects DNS tunneling by analyzing DNS query patterns:

# Show DNS analysis results
rita show-dns --dataset "dataset_name"
IndicatorNormal DNSDNS Tunneling
TXT query volumeRareHundreds per hour
Subdomain length< 20 chars> 30 chars (base64 encoded)
Query name entropyLow (meaningful words)High (random string)
Response size< 256 bytes> 512 bytes (tunneled data)
Unique domains queriedFew per minuteMany (DGA + tunneling)

DGA Detection

Domain Generation Algorithms produce random-looking domains that malware queries to find its C2.

# Show DGA analysis
rita show-dga --dataset "dataset_name"

# DGA output fields:
# Source IP, Query, Entropy, Count, NXDOMAIN ratio
DGA IndicatorNormalMalicious
Domain entropy< 3.5 (meaningful strings like “google” vs “xqyz”)> 4.0 (random alphanumeric: “xqyzab12evlkdm”)
NXDOMAIN ratioLow (< 10%)High (> 60%) — malware burns through failed DGA attempts
Query countFew per minute per domainBursts — malware tries many DGA seeds

Port Scan, Long Connection, and Blacklist Analysis

Port Scan Detection

rita show-scan --dataset "dataset_name"

RITA identifies hosts that connect to a large number of distinct ports on a single destination or scan across many destinations on the same port — both indicators of network reconnaissance (T1046).

Long Connections

rita show-long-connections --dataset "dataset_name"

RITA flags connections that last significantly longer than typical for the destination. A connection to a known cloud provider that persists for 8 hours may be normal (SSH, API polling). A connection to a suspicious IP that persists for 12 hours is likely a C2 channel.

Blacklist Analysis

If you have a threat intel blacklist configured, RITA cross-references all connections:

# In config.yaml — enable blacklist lookup
Blacklisted:
  IPs: 
    - "185.220.101.0/24"   # Known bad ASN
    - "203.0.113.0/24"
  Domains:
    - "evil-c2.example.com"
rita show-blacklist --dataset "dataset_name"

RITA Workflow for Daily Threat Hunting

Morning Review (15 minutes)

# 1. Import overnight Zeek logs
rita import /usr/local/zeek/logs/$(date -d "yesterday" +%Y-%m-%d) --rolling

# 2. Run analysis
rita analyze

# 3. Check beacons above threshold
rita show-beacons-human | head -20

# 4. Check DNS anomalies
rita show-dns | sort -k 4 -n -r | head -10

# 5. Export for SIEM ingestion
rita show-beacons --csv | /opt/scripts/send-to-siem.sh

Investigation Workflow

PhaseActionTool
TriageCheck RITA beacon scores for the suspicious hostrita show-beacons
CorrelationCheck DNS logs for the same hostrita show-dns
Deep diveCross-reference with EDR — what process is making the connectionsEDR console
PivotCheck if beacon score applies to other hostsrita show-beacons --dest-ip DEST_IP
ResponseBlock C2 IP, isolate host, begin IRFirewall, EDR, SIEM

SPL — Correlate RITA Beacon with EDR Data

index=windows sourcetype=WinEventLog:Sysmon EventCode=3
| search DestinationIp="185.220.101.45"
| stats count, values(Image) as Processes, values(User) as Users by Computer, DestinationIp
| eval alert = "C2 beacon detected by RITA — " . DestinationIp . " contacted by " . Computer . " via " . mvjoin(Processes, ", ")
| table _time, Computer, DestinationIp, DestinationPort, Processes, Users, alert

Integrations

IntegrationHow It WorksValue
ZeekInput — RITA ingests Zeek logsThis is the only input format. Deploy Zeek as your network sensor
MISPRITA beacons can be pushed to MISP as eventsCreate threat intel from your own network data
SIEM (Splunk/Elastic)Export RITA CSV output to SIEM for correlationCorrelate network behavior with endpoint telemetry
EDRCross-reference beaconing hosts in EDR for process evidenceIdentify which process is causing the beaconing
DNS sinkholeBeacon destinations can be added to DNS RPZAutomatically block C2 at the resolver

Sources