How do I start RITA and zeek only to monitor DNS Traffic? #722
Comments
|
I suspect that zeek will only see dns traffic and what ever else happens to this dns server like ssh and such. I don’t think you will need to disable anything, it will just work like there is no other traffic. Try it out and see what you get with Rita I imagine you will see dns activity but no beacon activity nor other things that come from the connection data zeek analyzes. Thank you, |
|
Ok - in this case to analyse the beacon do I need to capture the network
traffic as well?
…On Mon, Feb 14, 2022, 10:46 bekirk ***@***.***> wrote:
I suspect that zeek will only see dns traffic and what ever else happens
to this dns server like ssh and such. I don’t think you will need to
disable anything, it will just work like there is no other traffic. Try it
out and see what you get with Rita I imagine you will see dns activity but
no beacon activity nor other things that come from the connection data zeek
analyzes.
Thank you,
Brian Kirk
—
Reply to this email directly, view it on GitHub
<https://github.com/activecm/rita/issues/722#issuecomment-1038653570>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABJVOLZEAPEWMPT444JNCYTU3CF2TANCNFSM5OKFGLWA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Yea you will need to have a span to tap sent to a network interface that is in promiscuous mode and capture all the traffic. To this I also have never used zeek to capture traffic on a interface that was not in promiscuous mode, but I would expect it to work. |
|
Ok - The issue here is; since my server acts as a BIND/Recursive DNS Server
enabling zeek would definitely increase overhead and I definitely would
want to avoid that hence wanted only to capture the dns traffic and then
analyze with RITA. Will that be good enough?
…On Mon, Feb 14, 2022 at 11:08 PM bekirk ***@***.***> wrote:
Yea you will need to have a span to tap sent to a network interface that
is in promiscuous mode and capture all the traffic. To this I also have
never used zeek to capture traffic on a interface that was not in
promiscuous mode, but I would expect it to work.
—
Reply to this email directly, view it on GitHub
<https://github.com/activecm/rita/issues/722#issuecomment-1039366235>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABJVOLYVNIAZGWRPKDZTOX3U3E42HANCNFSM5OKFGLWA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
If it is only capturing dns I would imagine zeek wouldn’t add much over head and Rita should only add a little since it won’t have much if any beacon traffic to analyze. You can also capture zeek for your dns on that server and scp it to another system for Rita to do analysis. They don’t need to run on the same system and i think mongo and Rita will be your biggest resource hogs, if they are using too much that is, but I don’t think they will. |
|
Hmmm.. That's a good idea and valid point. However, I'm wondering if there
is an auto mechanism to transfer the logs over the internet?
And to detect a beacon what exact information is needed along with DNS? SSL
certificate fingerprints? IP addresses?
…On Mon, Feb 14, 2022 at 11:55 PM bekirk ***@***.***> wrote:
If it is only capturing dns I would imagine zeek wouldn’t add much over
head and Rita should only add a little since it won’t have much if any
beacon traffic to analyze.
You can also capture zeek for your dns on that server and scp it to
another system for Rita to do analysis. They don’t need to run on the same
system and i think mongo and Rita will be your biggest resource hogs, if
they are using too much that is, but I don’t think they will.
—
Reply to this email directly, view it on GitHub
<https://github.com/activecm/rita/issues/722#issuecomment-1039412283>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABJVOL5OMAP5HULJZALUJGDU3FCKVANCNFSM5OKFGLWA>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
Hello, in order to detect network beacons associated with an external IP, RITA needs to analyze the Zeek If you want to limit Zeek to only inspecting DNS traffic, follow the guide at https://www.activecountermeasures.com/improving-packet-capture-performance-1-of-3/. zeekctl.cfg is usually found at If you are capturing internal <-> external connections one Zeek system and capturing DNS on another, you would want to set up a cron job to to scp the logs over from one system to the other, merge the two folders, and then run RITA on resulting dataset. |
HI Team,
I have DNS Firewall built on Ubuntu with BIND and RPZ; I wanted to leverage zeek and RITA installing on the same server. However since its only DNS Server. I wanted to enable only DNS protocol in zeek. Since I am not a pro in zeek wondering how do I do it?
Can someone please help to enable DNS and disable everything else so that my system resources will be saved.
TIA
Blason R
The text was updated successfully, but these errors were encountered: