AC HUNTER/RITA

[rock0ne]

I think Active Countermeasures AC HUNTER will compliment securityonion, all you need to do is get acmlib.sh connect_sensor.sh and zeek_log_transport.sh to securityonion and run bash connect_sensor.sh with your ac-hunter ip address, logs will be copied from /nsm/zeek/logs every hour. if you like rita addition to securityonion i think you will love this one too, hopefully security onion will add this feature in future updates. its free to use for the community edition and this is the notes from their website,
AC-Hunter Community Edition Latest Notification
February 23, 2023
It’s our sincere pleasure to announce the release of AC-Hunter 6.3.0 Community Edition!

Up until now we’ve offered RITA as a free Threat Hunting tool and AC-Hunter as a commercial Threat Hunting tool. AC-Hunter Enterprise Edition offers expanded investigation, safelisting, and integration with company services like LDAP logins and alerting. AC-Hunter Community Edition (“AC-Hunter CE”) sits in the middle of those two, providing expanded viewing and safelisting over RITA, but leaving off some of the tools and capabilities needed by larger organizations.

The best part is that AC-Hunter CE is free.

Our existing commercial AC-Hunter product is now called the AC-Hunter Enterprise Edition. While the Community Edition does not include support, we have set up a community discussion/support area for CE on our Discord server to assist users. See our CE Support section below.

We hope this makes it possible for you to perform regular threat hunts across your network

[weslambert]

We can already perform RITA log ingestion. See the link below for more information.

https://docs.securityonion.net/en/2.3/other-supported-logs.html#example-rita

You can also see how to set up RITA alongside Security Onion here (it is not officially supported):

https://github.com/weslambert/securityonion-rita

While it's a great platform, I don't see us integrating AC Hunter any time soon, other than for log ingestion, which we have done in the past.

[weslambert]

The steps from the first link assume that RITA logs are already made available to Filebeat. RITA is not included with Security Onion.

[kgoode517]

simply gorgeous thank you so much for making this.

[KhorZL]

@weslambert Relatively new to Onion and I'm looking to experiment a RITA+Onion setup, and your repo looks amazing.

A couple of questions regarding the install_rita script from your repo.

1. It downloads RITA docker and runs it? Will this have any issue if RITA is already running?
2. Does it overwrite current salt configs? I see the some changes to salt configs in the script.

Thanks in advance for your help!

[weslambert]

The script does download and configures RITA, and modifies some files IIRC. Depending on how you have RITA configured, there could be complications.

What version of Security Onion are you running? The integration was written for 2.3. Eventually, RITA log ingestion was supported in 2.3, but I and I don't think that support has been carried to 2.4 yet.

[KhorZL]

That's great! I currently have 2.3.x running. Haven't gotten around do updating it to the latest version.
I'm currently working on a distributed setup and planning to deploy RITA on my sensors. Could you advise how I can configure my salt master to manage the RITA configs?