_____  ____   __    __   _  _  ____  ____  ____ 
(  _  )(_  _) /__\  (  ) ( \/ )(_   )( ___)(  _ \
 )(_)(   )(  /(__)\  )(__ \  /  / /_  )__)  )   /
(_____) (__)(__)(__)(____)(__) (____)(____)(_)\_)
        >>> otaris traffic analyzer

About

Nowadays developers rely heavily on using third-party-libraries, without knowing much about their inner workings. This imposes a risk on privacy and data confidentiality, since sometimes these libraries transmit sensible information or tracking data to remote hosts.

The OTARIS traffic analyzer (OTAlyzer) is a tool to analyze large amounts of network traffic by searching for occurences of keywords, e.g. the transmission of passwords or private data. In addition to plaintext, the OTAlyzer also detects various hash-formats and outputs additional metadata for each finding, such as the location of the remote host, the TLS-ciphers it supports or the severity of a finding.

You need to feed the OTAlyzer keywords and severity levels via configuration files. For more information, see Configuration.

Usage

The OTAlyzer supports .pcap[ng]-files, generated by e.g. wireshark and .mitm-files, which are the files generated by mitmdump.

Command line flags are as following:

  -f, --filename               Required. The name of the output file.

  -k, --keyword-file           Required. File containing search-keywords. You can use regex in a keyword with the
                               $regex$ prefix. Example keyword file: { "Post-Requests":["POST"],
                               "Credentials":["$regex$.*@mail[.]com"] }

  -s, --severity-level-file    Required. File specifiying the severity of each finding. An example severity level file
                               could look like this: {"Credentials": { "encrypted": 2, "unencrypted": 10 } }

  -p, --pcap-file              Required. The .pcap[ng]/mitmproxy file to analyze.

  -t, --tls                    Use TLS-decryption using the credentials supplied in the file.

  --blacklist                  Comma separated list of files tp be used as blacklists for urls (e.g. trackers) and
                               checks for plaintext occurences (to be used with large lists of URLs/IPs).

  --severity-threshold         Exit with error on a finding with a severity level higher than the threshold set. To be
                               used for CI pipelines. Can be set from 1-10.

  -v, --display-findings       Display all findings on finishing an analysis

  --help                       Display this help screen.

  --version                    Display version information.

Example usage

otalyzerworker --filename analysis -k examples/keywords.example.json -s examples/severity.example.json -p examples/http.pcap

Configuration

A keyword- and severity-file is essential for the OTAlyzer to work. You can use regex in a keyword with the $regex$ prefix.

An example keyword-file would be the following (e.g. keywords.json):

{ 
    "Email-Address": [
        "$regex$[a-zA-Z0-9]*@mail.com",
        "myname@myprovider.com"
    ]
}

This would match all alphanumerical mail addresses that end with mail.com and also the specific mail-address myname@myprovider.com.

A severity level file (e.g. severity.json) defines the levels of severity if a packet matches, from 0-10, depending on whether it was send with transport encryption or without.

{
    "Email-Address": { 
        "encrypted": 2, 
        "unencrypted": 10 
    } 
}

Installation

You can either download the binaries under releases or build them from source yourself using dotnet:

Linux

cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime linux-x64

Windows

cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime win-x64

To run the OTAlyzer, you need to have mitmproxy or wireshark installed and available in your path.

Supported Protocols

• HTTP
• HTTPS
• TCP
• MQTT