Overview
Retroid OraParser is a network traffic analyzer. It intercepts and logs all user network activity to Oracle DBMS.
Retroid OraParser can be used as a company security system key node which collects information on possible network unauthorized database actions for further analysis and detection of malicious activity. Retroid OraParser is a complete, easily configurable, scalable solution that allows you to convert Oracle DBMS network traffic into readable information about a DB user activity. Our module organically integrates into the corporate security system for both small company, providing text form activity logs, and a large company, acting as a data source for industrial malicious activity analysis systems and automated security monitoring systems.
Main features
Audit protocol includes:
1. SQL language constructions:
- Accessing data (SELECT, INSERT, MERGE, UPDATE, DELETE), including SQL dialects and language modifications from ORACLE, included in SQL 99 and 2006 standard (constructions with subqueries, hints to the optimizer, recursive and hierarchical constructions, analytical constructions, etc.)
- Change of DB schema (ALTER, CREATE, DROP, TRUNCATE)
- Conditional access to data (CREATE USER, ALTER USER, DROP USER, ALTER LOGIN, DROP LOGIN, CREATE LOGIN, GRANT, REVOKE)
- Users authentication (successful/unsuccessful)
- Management of data modification process features, read/write parameters and transaction isolation level (SET [LOCAL]-TRANSACTION)
- Management of audit and statistics analyses (ANALYZE, AUDIT)
- Associates management (ASSOCIATE STATISTICS)
- Change of data types and object types (CREATE TYPE, CREATE OR REPLACE TYPE, ALTER TYPE, DROP TYPE)
2.PL\SQL language constructions (create, modify, execute anonymous blocks, procedure, function, object type methods etc.)
3.Parameterized queries variables values
Logging information
Logs are files with queries, Oracle session opening and closing. Each file include plain-text with delimiter "{}".
Open session files, beginning from SESSOPEN, contain the following fields:
| DTTM | begin session time (timestamp (microseconds)) |
| SESSID | session ID |
| USERIP | user IP |
| DBIP | DBMS server IP |
| USERPORT | user port |
| DBPORT | DB port |
| ORAPID | Oracle process identifier |
| STIME | oracle local start time |
| ORAHOME | ORACLE_HOME variable |
| SID | DBMS Oracle system ID |
| CLI | client name |
| OSUSR | OS user name |
| DBUSR | DB user name |
| HOST | user workstation host name |
| TERM | user workstation terminal name |
Query files, beginning from REQUEST, contain the following fields:
| DTTM | begin session time (timestamp (microseconds)) | ||||||||||
| SESSID | session ID | ||||||||||
| DTTM_DIFF | time (microseconds) between first and last rows | ||||||||||
| ROWS_COUNT | count of rows, affected by the query | ||||||||||
| ERROR | error codes | ||||||||||
| QUERY | query text | ||||||||||
| EXTENSIONS | expanded query information:
|
Close session files , beginning from SESSCLOSE, contain the following fields:
| DTTM | begin session time (timestamp (microseconds)) |
| SESSID | session ID |