Releases: activecm/rita-legacy
Releases · activecm/rita-legacy
v4.8.1
What's Changed
- Fix install error (https://github.com/activecm/rita/issues/821) due to Zeek configuration incompatibility (https://github.com/activecm/rita/pull/820)
v4.8.0
What's Changed
Improvements:
- Change show-long-connections to sort by total duration instead of longest duration by @Zalgo2462 in https://github.com/activecm/rita/pull/790
- Removal of connection count portion of beacon scoring and adjustment of skew by @lisaSW in https://github.com/activecm/rita/pull/792
- Duration Scoring Update by @lisaSW in https://github.com/activecm/rita/pull/793
- Update to bimodal portion of the histogram score by @lisaSW in https://github.com/activecm/rita/pull/794
Bug Fixes:
- Improve useragent aggregation runtime for datasets with many useragents by @Zalgo2462 in https://github.com/activecm/rita/pull/785
- Fix SSL and DNS log filtering by @Zalgo2462 in https://github.com/activecm/rita/pull/788
- Prevent crashing due to malformed IP addresses in Zeek logs by @lisaSW in https://github.com/activecm/rita/pull/791
- Don't filter internal -> internal DNS traffic by @Zalgo2462 in https://github.com/activecm/rita/pull/797
- Disable SNI connection analysis if SNI beacon analysis is disabled by @Zalgo2462 in https://github.com/activecm/rita/pull/798
- Only maintain one cid's worth of max scores in the host collection by @Zalgo2462 in https://github.com/activecm/rita/pull/801
Full Changelog: activecm/rita@v4.7.0...v4.8.0
Contributors
Zalgo2462 and lisaSW
Assets 4
v4.7.0
Changes:
- Improved beacon scoring algorithms by filtering out bursty connections (https://github.com/activecm/rita/pull/773, https://github.com/activecm/rita/pull/774)
- Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Web beacons module (https://github.com/activecm/rita/pull/774)
- Deployed the beaconing algorithm introduced in the IP beacons module in v4.6.0 to the Proxy beacons module (#778)
- Added filter to drop proxied traffic which is entirely on the internal network (https://github.com/activecm/rita/pull/765)
- Added
rita cleancommand to remove RITA datasets without MetaDB entries (https://github.com/activecm/rita/pull/763, #780) - Removed FQDN Beacons module due to poor performance (https://github.com/activecm/rita/pull/771)
- Removed per-host DNS command and control analysis due to overflowing document sizes (https://github.com/activecm/rita/pull/762)
- Added better error reporting to the install script. Removed support for Ubuntu 18 and Debian 10. (#776)
Bug Fixes:
- Stop host aggregation phase if there aren't any local hosts (https://github.com/activecm/rita/pull/761)
- Check if a max analysis subdocument has already been inserted into the target host's
datcollection before updating or inserting (https://github.com/activecm/rita/pull/764) - Fix strobes from overflooding database documents when strobing is cumulative (https://github.com/activecm/rita/pull/767)
- Ensure bulk writes don't break 16MB limit (https://github.com/activecm/rita/pull/770)
v4.6.0
Changes:
- Add support for Ubuntu 20.04 to the installer (#732, #734)
- Write DB Updates in Bulk; Summarize Internal Hosts After Analysis; Documentation Updates (#737)
- Implement FQDN Beaconing using TLS SNI and HTTP Host (#739)
- Change host summarizer to record max total duration instead of max individual duration found in the uconn collection (#741)
- Implement new IP beacon scoring algorithm (#742, #743, #745)
- Store all connection timestamps. Do not de-duplicate connections happening in the same second (#744, #749)
- Remove MalwareDomains as a threat intel source (#746)
- Filter external to internal traffic by default (#753)
v4.5.1
v4.5.0
v4.4.0
Changes:
- Add timestamp to HTML report templates (#662)
- Use the past 24 hours of data to analyze proxy beacons rather than just the last hour (#690)
- The RITA parser has been updated with a number of performance tweaks (#654, #695)
- Gather IPs for FQDN beacon analysis using DNS lookups from the past 24 hours of data rather than just the last hour (#676, #700)
- Drop stobe limit down to 86400 (#697)
- Add option to configuration file which filters out connections from external hosts to internal hosts (#655)
Bug Fixes:
- Add unique indexes to
beaconFQDNandbeaconProxycollections (#689) - Add additional indexes to
hostcollection (#687) - Prevented duplicate threat intel records from being created in the
hostcollection (#683) - Fixed a bug where threat intel records in the
hostcollection were not being updated when using rolling imports (#683) - Fixed a bug where the max beacon score listed in the
hostcollection for a pair of hosts would never decrease when using rolling imports (#683) - Fixed a bug where rare signature entries might not be added to the
hostcollection due to a race condition (#683) - Fixed a bug where the connection counts for each host in the
hostcollection were under-counted when using rolling imports (#683) - Removed unused/ broken code in max duration analysis (#683)
v4.3.1
v4.3.0
Changes in v4.3.0
Bug Fixes:
- Fixed missing
</td>in report-beacons.go and report-beaconsfqdn.go (#644) - Speed up beaconFQDN analysis (#638)
Documentation:
- Fixed typo in docker compose documentation (#650)
Changes from v4.2.1 (pre-release):
- Make --config a global option on rita command (#631)
- Add support for detecting beacons behind HTTP proxies (#632)
Bug Fixes:
- Remove invalid certificates from old chunks when using the rolling importer (#634)