v3.0.5

Changes:

• Configurable limits on show-* commands (#471)
• Allowing databases to increase the number of chunks (#488)
• Update installer to v3.0.5 (#489)

v3.0.4

Changes:

• Removing Bro config section (#465)
• Flags for database deletion (#470)
• Enhance command line rolling params and allow import of files (#474)

Backend changes:

• Update test runners and update Readme (#468)
• Adding checks to ensure index keys aren't too large causing issues with MongoDB (#473)
• Adding an additional warning if no uconn data found (#476)
• Fix certificate count missing check if exists (#478)

Installer changes:

• Add Redhat Enterprise identifiers so the install can continue on RHEL. (#467)
• Updating installer for v3.0.4 (#479)

Important Notes:

• The import command's --chunk|--CC parameter previously accepted values 1 <= chunk <= numchunks (or 1 based indexing). This has been changed to 0 <= chunk < numchunks (or 0 based indexing). If you have a script that uses this parameter please update it accordingly. If you specify chunk such that it is equal to numchunk you will get an error.

v3.0.3

Changes:

• Updated to allow disk use in all pipe queries (#460)

v3.0.2

Changes:

• Remove DBName, ImportDirectory Config Settings (#438)
• Create Database Only After Valid Files Are Found (#442)
• Removing code for Ubuntu 14.04 (#457)
• Avoid downloading executable script to /tmp during bro install (#458)

v3.0.1

Changes:

• Store the dns client IPs for each queried hostname (#436)
• Remove unused Logmover code (#445)
• Converted print statements to logs (#446)

Bugfixes:

• Fix Typos For Rolling Imports (#444)
• Remove Tags From Bro Log Types (Recognize Security Onion http log) (#439)

v3.0.0

See the v3.0.0-beta1 release notes for a list of changes.

Since v3.0.0-beta1 there was a small bug fix and documentation updates for v3.

v3.0.0-beta2

Bugfix:

• Threading issue with certificate importing (#435)

v3.0.0-beta1

Changes:

• Significant changes to the analysis engine.
• Import and analyze are combined in a single step.
• Introduced a rolling feature that allows continually importing new data into a dataset that keeps a fixed 24 hour view.
• No longer store the original conn, dns, or http logs. This drastically reduces the size of the stored databases.
• Added ssl and x509 parsing (#369)
• Added support for ja3 hashes as a client identifier.
• Added ssl/tls certificate analysis.

Already in master

• Install ja3 module into Bro as part of the Rita installer. (#384)
• Add a --disable-rita command line option. (#392)
• Enable SSL certificate logging (#393)

Still to be done:

• Update documentation
• More testing to ensure this is stable

v2.0.0

Changes:

• Added bro to path by default (no prompt) (#321)
• Implement default config values (#329)
• Move hard-coded connection limit to config file (#311)
• Added strobes display to command line and html reporting (#320)
• Update blacklisted analysis (#310)
• Made blacklist database configurable (#310)
• Updated analysis, reset, and delete commands (#324)
• Added NeverInclude to Filtering config section which allows for whitelisting (#328)
• Enabling NeverInclude values by default (#336)
• Change Logging directory structure (#339)
• Create config options for disabling modules (#342)
• Refuse to run import if InternalSubnets is not configured (#341)
• InternalSubnets & Upgrading Documentation (#373)
• Setting local_ Bro values based on InternalSubnets (#350)

Bugfixes:

• Prevent freqConn collection from being reset (#323)
• Added total duration field into uconns (#318)
• Fixed show databases issue (#326)

Config file changes:

• Added Enabled flags to each section to allow turning analysis modules on or off individually. All are enabled by default.
• Filtering section added to defaults.
• Filtering: NeverInclude section added and initialized to safe universal values.
• Filtering: InternalSubnets section commented out by default. ❗ IMPORTANT ❗ This config section must be filled out before RITA will process new data.

General Notes:
This release includes new aliases and flags to commands to help streamline workflow.

• reset-analysis -> reset. Added flag -f|--force to bypass prompt.
• analyze. Added flag -r|--reset to automatically perform reset without prompting followed by analyze.
• delete-database -> delete. Added -f|--force flag to bypass prompt.

v2.0.0-beta1

This version makes significant changes to the modules that are run. It removes a couple of low-value, high-cost analysis modules, which should greatly improve performance for large datasets. In order to use this version of RITA with older datasets they will require a re-analysis (rita reset-analysis <dataset> && rita analyze <dataset>

Removed:

• Removed scans module from analysis, reporting, and config (#281)
• Removed blacklisted urls and safebrowsing analysis, reporting, and config (#279)
• Removed long urls analysis and reporting (#283)
• Removed http sanitization (#283)
• Removed IPv4 and IPv6 collections and combine into host (#294) (#285)
• Removed crossref analysis (#303)

Changes:

• Stored connection count and average bytes in beacons collection (#297) (#285)
• Stored longest duration in uconn and host collections (#298) (#285)
• Stored several new beacon/blacklist metrics in the host collection (#300) (#285)
• If connections between two hosts are over 250k, all are removed at import time (#291)
• Filter internal-to-internal and external-to-external traffic with exclusions (#301)

Bugfixes:

• Prevent rare case of MetaDatabase state causing crash (#287)

Config file changes:

• Removed Scanning section
• Removed Blacklisted: SafeBrowsing subsection
• Optional Filtering section added (but not included by default)

Known Issues:

• The show-databases command does not work in some cases (#319)
• If InternalSubnets is not configured (as is the default) RITA will filter all connections (#341)