_____ ____ __ __ _ _ ____ ____ ____
( _ )(_ _) /__\ ( ) ( \/ )(_ )( ___)( _ \
)(_)( )( /(__)\ )(__ \ / / /_ )__) ) /
(_____) (__)(__)(__)(____)(__) (____)(____)(_)\_)
>>> otaris traffic analyzer
Nowadays developers rely heavily on using third-party-libraries, without knowing much about their inner workings. This imposes a risk on privacy and data confidentiality, since sometimes these libraries transmit sensible information or tracking data to remote hosts.
The OTARIS traffic analyzer (OTAlyzer) is a tool to analyze large amounts of network traffic by searching for occurences of keywords, e.g. the transmission of passwords or private data. In addition to plaintext, the OTAlyzer also detects various hash-formats and outputs additional metadata for each finding, such as the location of the remote host, the TLS-ciphers it supports or the severity of a finding.
You need to feed the OTAlyzer keywords and severity levels via configuration files. For more information, see Configuration.
The OTAlyzer supports .pcap[ng]
-files, generated by e.g. wireshark and .mitm
-files, which are the files generated by mitmdump.
Command line flags are as following:
-f, --filename Required. The name of the output file.
-k, --keyword-file Required. File containing search-keywords. You can use regex in a keyword with the
$regex$ prefix. Example keyword file: { "Post-Requests":["POST"],
"Credentials":["$regex$.*@mail[.]com"] }
-s, --severity-level-file Required. File specifiying the severity of each finding. An example severity level file
could look like this: {"Credentials": { "encrypted": 2, "unencrypted": 10 } }
-p, --pcap-file Required. The .pcap[ng]/mitmproxy file to analyze.
-t, --tls Use TLS-decryption using the credentials supplied in the file.
--blacklist Comma separated list of files tp be used as blacklists for urls (e.g. trackers) and
checks for plaintext occurences (to be used with large lists of URLs/IPs).
--severity-threshold Exit with error on a finding with a severity level higher than the threshold set. To be
used for CI pipelines. Can be set from 1-10.
-v, --display-findings Display all findings on finishing an analysis
--help Display this help screen.
--version Display version information.
otalyzerworker --filename analysis -k examples/keywords.example.json -s examples/severity.example.json -p examples/http.pcap
A keyword- and severity-file is essential for the OTAlyzer to work. You can use regex in a keyword with the
An example keyword-file would be the following (e.g. keywords.json
):
{
"Email-Address": [
"$regex$[a-zA-Z0-9]*@mail.com",
"[email protected]"
]
}
This would match all alphanumerical mail addresses that end with mail.com and also the specific mail-address [email protected].
A severity level file (e.g. severity.json
) defines the levels of severity if a packet matches, from 0-10, depending on whether it was send with transport encryption or without.
{
"Email-Address": {
"encrypted": 2,
"unencrypted": 10
}
}
You can either download the binaries under releases or build them from source yourself using dotnet:
cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime linux-x64
cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime win-x64
To run the OTAlyzer, you need to have mitmproxy
or wireshark
installed and available in your path.
- HTTP
- HTTPS
- TCP
- MQTT