OVIZART - NG = Open VİZual Analsis foR network Traffic
This project aims aimed to analyze the traffic data in a more human readable way. It will analyze the information at the application level and displays the assembled information. It will help you analyze malwares inside the traffic as weel as anomalies. This project is an improvement to https://github.com/oguzy/ovizart project in the scope of Google Summer of Code 2013.
When a job is subscribed, the status is being as seen as pending, instead of returning a result.
Now CLI can only use the external analyzer. This issue is to integrate the CLI with ovizart's core system (Gurcan's work)
Scapy will be used for this part. The more protocol analyzers we have, the better it is.
Json format will be used.
It seems you either need pcap or some other file. It will be better to just use -i and decide by checking the file type.
We will try to do this if we have time.
Json will be used for saving the results. The format may be changed form the default one returned from Virustotal site.
If web interface is enabled, some pretty human readable visualizations should give more info about analyzed traffic.
It would be nice to detect & tag TOR Connections
By looking at confgiguration or the CLI arguments one may use its own Cuckoo installation or a central VM that will be set for API usage.
It will require a VM machine requiest from Honeynet.
User may set input file, etc. to update the Ovizart's configuration.
A step for interactive shell type interface.
This assignee might be changed depending on the workflow.
fragmented packets should be detected and add to appropriate stream
Add a location tag for real IP addresses.
Don't forget the time parameter. Latest mapping may not be accurate for time the traffic captured. Is there any GeoLocation service taking time into account?
The issue is still not clear, It can not reassemble traffic with some samples from VT Intelligence.
Tcpflow is planned to be used.
For fast access indexing mechanism should be implemented.
We can not expect people to read the code or guess the usage
The tool should be able to let analyze the live traffic.
These documents may be uploaded to the Github wiki page of the project.
It is better we have a usage like
python ovizli.py -i some.pcap --vt --cuckoo --jsunpack
The last three may mean, read the pcap, get its information, reassembled it. Then send this pcap to vt and see the result. Also send binary files to cuckoo for analysis. Also send js files to jsunpack.
You may define which files to where, at conf file.
JSUNPACK_FILES = "js"
CUCKOO_FILES = "image,binary"
VT_FILES = "pcap,binary"
If you have http data, you will be parsing it and collecting the js files to send jsunpack, if you have cuckoo options and images are defined for being parsed then you will be collecting image files at the http file and sending it for analysis and if --vt is given then you will be sending this pcap to VT also.
Current usage does not have a usage functionality, it seems. According to current condition, one will dissect every file, binary and send either VT or cuckoo one by one and see the result one by one, which then can do it manually without ovizart also. I believe we should automate some parts. What do you think?
Only options requires file parameter must be able to run with --file
It is planned to use Virustotal API as a builtin analyzer also. This will require one to create Virustotal key and add it to either configuration file or as CLI argument.
These documents may be uploaded to the Github wiki page of the project.
This requires a reasonable solution.
This will cover decorators, file structure
By using python-yara, Yara support may be added.
Sqlite will be used at the beginning for flow knowledge keeping. But this will be set at the configuration file.
An indexing mechanism should be added for reassembled traffic and extracted files, etc.
Try to check the file headers before saving so that we can add a warning if the declared extension is different than the file header.
The planned format is JSON because of its readability.
The argument(s) may include generated report options (HTML, txt, etc.), directory to save the results, etc.
Add an option for domain names and server IP(if public) addresses extracted from HTTP requests. Such as dig, nslookup, etc.
This library may be useful: http://www.dnspython.org/
or simpler solution:
http://docs.python.org/2/library/socket.html#socket.gethostbyname
http://docs.python.org/2/library/socket.html#socket.gethostbyaddr
We can add base64 guess mechanism.
Just test against the base64 constraints and warn user it may be encoded in base64.
Also we can provide decode option through UI.
It will be used for JS file analysis.
Current DB Structure is not optimal, needs refactoring. For faster access consider using multiple databases for different purposes.
When i run
/usr/bin/python /home/oguz/git/ovizart-ng/ovizcli.py --file /home/oguz/git/ovizart-ng/test/pcap/test-http.pcap -o /home/oguz/git/ovizart-ng/output/ -ck
I'm awesome
Cuckoo analyzing .................
and some results are being displayed. It may be interesting to see what is going on each step. Which flows are created, where. So add a -v or --debug option to display a detail step by step progress.
The shell type interface should let analyst analyze the traffic interactively.
Regarding the parsing of packets, to set the expectations right, hopefully we could have custom parsers that could handle traffic such as highlighted in the report from CERT.pl (chapter 6, p19):
http://www.cert.pl/news/7386/langswitch_lang/en --> http://www.cert.pl/PDF/2013-06-p2p-rap_en.pdf
Zbot-P2P is using a combination of TCP and UDP, with crypto mechanism to prevent analysis.
Hopefully, our project would highlight the different types of queries/response such as :
Table 6: List of UDP commands
CMD value Description
0x00 version query
0x01 + response
0x02 peer-list query
0x03 + response
0x04 data query
0x05 + response
0x06 super-node address broadcast
0x32 super-node address broadcast
Table 7: TCP messages list
CMD value Description
0x64 Force update - con guration file
0x66 Force update - binary file
0x68 Update request - con guration fi le
0x6A Update request - binary file
0xC8 Force update - super-node list
0xCC P2P-PROXY channel request
Use TTL, User Agent and Retransmission Timeout(if applicable) values to guess OS of IP addresses.
Test the tool against real life traffic captures over 10G files to catch unhandled exceptions
It should be possible to send data to central or local Cuckoo server using API
Test the tool against real life traffic captures from VT Intelligence service to catch unhandled exceptions
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
