Merge remote-tracking branch 'origin/develop'

Author: caffeinatedpixel

.env

@@ -9,5 +9,8 @@ CONFIG_DIR=./deployment
 CONFIG_FILE=./config.hjson
 SYSLOG_ADDRESS=localhost:514
 DB_ADDRESS=localhost:9000
+CLICKHOUSE_USERNAME=default
+CLICKHOUSE_PASSWORD=
 LOGGING_ENABLED=true
 LOG_LEVEL=1
+

.env.production

@@ -9,6 +9,8 @@ CONFIG_FILE=/etc/rita/config.hjson
 SYSLOG_ADDRESS=syslogng:5514
 APP_LOGS=/var/log/rita
 DB_ADDRESS=db:9000
+CLICKHOUSE_USERNAME=default
+CLICKHOUSE_PASSWORD=
 LOGGING_ENABLED=true
 LOG_LEVEL=1
 

.github/workflows/build.yml

@@ -8,6 +8,7 @@ on:
   push: 
     branches: 
       - "main"
+      - "develop"
     tags:
       - "v*.*.*"
   workflow_dispatch:

.github/workflows/release.yml

@@ -16,7 +16,7 @@ on:
 
   workflow_run:
     workflows: ["Build Docker Images"]
-    branches: [main]
+    branches: [main, develop]
     types: 
         - completed
 

.github/workflows/test.yml

@@ -3,7 +3,9 @@ name: Tests
 on: 
   pull_request:
   push:
-    branches: 'main'
+    branches: 
+      - 'main'
+      - 'develop'
 
 # Temporarily splitting out tests into separate jobs for improving workflow execution time 
 jobs:
@@ -16,7 +18,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
       - name: Install dependencies
         run: go get .
       - name: Build
@@ -41,7 +43,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
       - name: Install dependencies
         run: go get .
       - name: Build
@@ -67,7 +69,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
       - name: Install dependencies
         run: go get .
       - name: Build
@@ -92,7 +94,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
       - name: Install dependencies
         run: go get .
       - name: Build
@@ -118,7 +120,7 @@ jobs:
       - name: Setup Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.22'
+          go-version: '1.24'
       - name: Install dependencies
         run: go get .
       - name: Build

.vscode/launch.json

@@ -0,0 +1,34 @@
+{
+    // Use IntelliSense to learn about possible attributes.
+    // Hover to view descriptions of existing attributes.
+    // For more information, visit: https://go.microsoft.com/fwlink/?linkid=830387
+    "version": "0.2.0",
+    "configurations": [
+
+        {
+            "name": "Launch RITA Import",
+            "type": "go",
+            "request": "launch",
+            "mode": "auto",
+            "program": "${workspaceFolder}/rita.go",
+            "args": [
+                "import",
+                "--database=${input:dbName}",
+                "--logs=${input:logPath}",
+                "--rebuild"
+            ]
+        }
+    ],
+    "inputs": [
+        {
+            "type": "promptString",
+            "id": "dbName",
+            "description": "Enter the database name"
+        },
+        {
+            "type": "promptString",
+            "id": "logPath",
+            "description": "Enter the path to the logs"
+        }
+    ]
+}

.vscode/rita.code-workspace

@@ -11,6 +11,7 @@
             "golang.go",
             "hjson.hjson",
             "Tanh.hjson-formatter",
+            "redhat.vscode-yaml",
         ]
     },
     "settings": {
@@ -51,5 +52,9 @@
             "space": 4,
             "eol": "auto",
         },
+        "[yaml]": {
+            "editor.defaultFormatter": "redhat.vscode-yaml",
+            "editor.formatOnSave": true,
+        }
     }
 }

Dockerfile

@@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM golang:1.22-alpine as rita-builder
+FROM --platform=$BUILDPLATFORM golang:1.24-alpine AS rita-builder
 
 ARG TARGETOS
 ARG TARGETARCH

README.md

@@ -38,18 +38,15 @@ The framework ingests [Zeek Logs](https://www.zeek.org/) in TSV or JSON format,
 
 
 ### Supported Platforms
-- ✅: Official Support
-- ⚠️: Unofficial Support
-- ❌: Unsupported
-
-| OS              | Versions | Platform | Status | 
-| :---------------- | :------ | :---- | :----: | 
-| CentOS         | `9 Stream` | `amd64` | ✅ |
-| Rocky         | `9` | `amd64` | ✅ |
-| Ubuntu        |   `24.04`   | `amd64`| ✅ |
-| Windows        |    | | ❌ |
-<!-- TODO: eventually add support -->
-<!-- | MacOS        |   `Sonoma`   | `intel\|arm` | ✅ | -->
+
+The following operating systems/versions and CPU architectures are supported:
+
+| OS              | Versions         | Platform |
+| :-------------- | :--------------- | :------- |
+| CentOS          | `9 Stream`       | `amd64`  |
+| Rocky           | `9`              | `amd64`  |
+| RHEL            | `9`              | `amd64`  |
+| Ubuntu          | `22.04`, `24.04` | `amd64`  |
 
 ## Installing Zeek
 If you do not already have Zeek installed, it can be installed from [docker-zeek](https://github.com/activecm/docker-zeek).

analysis/analysis.go

@@ -43,39 +43,40 @@ type ThreatMixtape struct {
 	// Base connection details
 	AnalysisResult
 
-	FinalScore float32 `ch:"final_score"`
+	FinalScore float64 `ch:"final_score"`
 	// BEACONS
 	Beacon
-	BeaconThreatScore float32 `ch:"beacon_threat_score"` // bucketed beacon score
+	BeaconThreatScore float64 `ch:"beacon_threat_score"` // bucketed beacon score
 	BeaconType        string  `ch:"beacon_type"`
 
 	//  LONG CONNECTIONS
-	LongConnScore float32 `ch:"long_conn_score"`
+	LongConnScore float64 `ch:"long_conn_score"`
 
 	// Strobe
 	Strobe      bool    `ch:"strobe"`
-	StrobeScore float32 `ch:"strobe_score"`
+	StrobeScore float64 `ch:"strobe_score"`
 
 	// C2 over DNS
-	C2OverDNSScore           float32 `ch:"c2_over_dns_score"`
-	C2OverDNSDirectConnScore float32 `ch:"c2_over_dns_direct_conn_score"`
+	C2OverDNSScore           float64 `ch:"c2_over_dns_score"`
+	C2OverDNSDirectConnScore float64 `ch:"c2_over_dns_direct_conn_score"`
 
 	// Threat Intel
 	ThreatIntel      bool    `ch:"threat_intel"`
-	ThreatIntelScore float32 `ch:"threat_intel_score"`
+	ThreatIntelScore float64 `ch:"threat_intel_score"`
 
 	// **** MODIFIERS ****
 	// for modifiers detected during the modifiers phase
 	ModifierName  string  `ch:"modifier_name"`
-	ModifierScore float32 `ch:"modifier_score"`
+	ModifierScore float64 `ch:"modifier_score"`
 	ModifierValue string  `ch:"modifier_value"`
 
 	// modifiers that are able to be added to the same row as the threat indicator scores
 	// these are detected during the analysis phase (in the spagooper)
-	PrevalenceScore          float32 `ch:"prevalence_score"`
-	FirstSeenScore           float32 `ch:"first_seen_score"`
-	ThreatIntelDataSizeScore float32 `ch:"threat_intel_data_size_score"`
-	MissingHostHeaderScore   float32 `ch:"missing_host_header_score"`
+	PrevalenceScore          float64 `ch:"prevalence_score"`
+	NetworkSize              uint64  `ch:"network_size"`
+	FirstSeenScore           float64 `ch:"first_seen_score"`
+	ThreatIntelDataSizeScore float64 `ch:"threat_intel_data_size_score"`
+	MissingHostHeaderScore   float64 `ch:"missing_host_header_score"`
 }
 
 // NewAnalyzer returns a new Analyzer object
@@ -169,6 +170,7 @@ func (analyzer *Analyzer) runAnalysis() error {
 			ImportID:       analyzer.ImportID,
 			AnalysisResult: entry,
 			BeaconType:     entry.BeaconType,
+			NetworkSize:    analyzer.networkSize,
 		}
 
 		// set the first seen historical value
@@ -213,7 +215,7 @@ func (analyzer *Analyzer) runAnalysis() error {
 				hasThreatIndicator = true
 				mixtape.C2OverDNSScore = c2OverDNSScore
 				// run c2 over dns direct connection analysis
-				if shouldHaveC2OverDNSDirectConnModifier(entry.DirectConns, entry.QueriedBy) {
+				if mixtape.HasC2OverDNSDirectConnectionsModifier {
 					mixtape.C2OverDNSDirectConnScore = analyzer.Config.Modifiers.C2OverDNSDirectConnScoreIncrease
 				}
 			}
@@ -260,7 +262,7 @@ func (analyzer *Analyzer) runAnalysis() error {
 
 			// Threat Intel Data Size Score
 			if entry.OnThreatIntel {
-				if entry.TotalBytes >= analyzer.Config.Modifiers.ThreatIntelDataSizeThreshold {
+				if entry.TotalBytes >= uint64(analyzer.Config.Modifiers.ThreatIntelDataSizeThreshold) {
 					mixtape.ThreatIntelDataSizeScore = analyzer.Config.Modifiers.ThreatIntelScoreIncrease
 				}
 			}
@@ -274,7 +276,7 @@ func (analyzer *Analyzer) runAnalysis() error {
 			// use the current time to score against unless useCurrentTime is false
 			relativeTime := util.GetRelativeFirstSeenTimestamp(analyzer.useCurrentTime, analyzer.firstSeenMaxTS)
 			timeSince := relativeTime.Sub(entry.FirstSeenHistorical)
-			daysSinceFirstSeen := float32(timeSince.Hours() / 24)
+			daysSinceFirstSeen := float64(timeSince.Hours() / 24)
 
 			// Historical First Seen Scoring
 			// only apply to rolling datasets
@@ -307,7 +309,7 @@ func (analyzer *Analyzer) runAnalysis() error {
 	return nil
 }
 
-func calculateBucketedScore(value float64, thresholds config.ScoreThresholds) float32 {
+func calculateBucketedScore(value float64, thresholds config.ScoreThresholds) float64 {
 	base := float64(thresholds.Base)
 	low := float64(thresholds.Low)
 	medium := float64(thresholds.Med)
@@ -319,23 +321,23 @@ func calculateBucketedScore(value float64, thresholds config.ScoreThresholds) fl
 	mediumScore := config.MEDIUM_CATEGORY_SCORE * 100
 	highScore := config.HIGH_CATEGORY_SCORE * 100
 
-	score := float32(0)
+	score := float64(0)
 
 	// interpolate scores between the threat category bucket thresholds
 	switch {
 	// (Low)    1-4hrs
 	case value < base:
 		return 0
 	case value < low:
-		score = float32(noneScore + (value-base)/(low-base)*(lowScore-noneScore))
+		score = float64(noneScore + (value-base)/(low-base)*(lowScore-noneScore))
 	// (Medium) 4-8hrs
 	case value >= low && value < medium:
-		score = float32(lowScore + (value-low)/(medium-low)*(mediumScore-lowScore))
+		score = float64(lowScore + (value-low)/(medium-low)*(mediumScore-lowScore))
 	// (High)   8-12hrs+
 	case value >= medium:
 		// cap the maximum duration score value to the High category threshold because we're not scoring any higher than this
 		cappedValue := math.Min(value, high)
-		score = float32(mediumScore + (cappedValue-medium)/(high-medium)*(highScore-mediumScore))
+		score = float64(mediumScore + (cappedValue-medium)/(high-medium)*(highScore-mediumScore))
 	}
 	return score / 100
 }