_____ ____ __ __ _ _ ____ ____ ____
( _ )(_ _) /__\ ( ) ( \/ )(_ )( ___)( _ \
)(_)( )( /(__)\ )(__ \ / / /_ )__) ) /
(_____) (__)(__)(__)(____)(__) (____)(____)(_)\_)
>>> otaris traffic analyzer
Nowadays developers rely heavily on using third-party-libraries, without knowing much about their inner workings. This imposes a risk on privacy and data confidentiality, since sometimes these libraries transmit sensible information or tracking data to remote hosts.
The OTARIS traffic analyzer (OTAlyzer) is a tool to analyze large amounts of network traffic by searching for occurences of keywords, e.g. the transmission of passwords or private data. In addition to plaintext, the OTAlyzer also detects various hash-formats and outputs additional metadata for each finding, such as the location of the remote host, the TLS-ciphers it supports or the severity of a finding.
You need to feed the OTAlyzer keywords and severity levels via configuration files. For more information, see Configuration.
The OTAlyzer supports .pcap[ng]-files, generated by e.g. wireshark and .mitm-files, which are the files generated by mitmdump.
Command line flags are as following:
Minimal usage: otalyzer -k [KEYWORD_FILE] -s [SEVERITY_FILE] -p [CAPTURE_FILE] --filename [OUTFILE]
Mandatory parameters:
-k | --keyword-file [file]: File containing search-keywords
-s | --severity-level-file [file]: File specifiying the severity of each finding
-p | --pcap-file [file]: The .pcap[ng]/mitmproxy file to analyze
--filename [filename]: The name of the output file
Other options:
--tls [sslkeylogfile]: Use TLS-decryption using the credentials supplied in the file
--severity-threshold [0-9] | Exit with error on a finding with a severity level higher than the threshold set. To be used for CI pipelines
--blacklist [filename{,filename,filename}] | Uses the files specified as blacklists for urls (e.g. trackers) and checks for plaintext occurences (to be used with large lists of URLs/IPs)
-h | --help | --usage: Display this message
otalyzerworker --filename analysis -k examples/keywords.example.json -s examples/severity.example.json -p examples/http.pcap
A keyword- and severity-file is essential for the OTAlyzer to work. You can use regex in a keyword with the
An example keyword-file would be the following (e.g. keywords.json):
{
"Email-Address": [
"$regex$[a-zA-Z0-9]*@mail.com",
"myname@myprovider.com"
]
}This would match all alphanumerical mail addresses that end with mail.com and also the specific mail-address myname@myprovider.com.
A severity level file (e.g. severity.json) defines the levels of severity if a packet matches, from 0-10, depending on whether it was send with transport encryption or without.
{
"Email-Address": {
"encrypted": 2,
"unencrypted": 10
}
}You can either download the binaries under releases or build them from source yourself using dotnet:
cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime linux-x64cd OTAlyzer.AnalyticsWorker && dotnet publish -c Release -p:PublishSingleFile=true --self-contained true --runtime win-x64To run the OTAlyzer, you need to have mitmproxy or wireshark installed and available in your path.
- HTTP
- HTTPS
- TCP
- MQTT