Coppereye OraParser is a network traffic analyzer. It intercepts and logs all user network activity to Oracle DBMS.

Coppereye OraParser can be used as a company security system key node which collects information on possible network unauthorized database actions for further analysis and detection of malicious activity. Coppereye OraParser is a complete, easily configurable, scalable solution that allows you to convert Oracle DBMS network traffic into readable information about a DB user activity. Our module organically integrates into the corporate security system for both small company, providing text form activity logs, and a large company, acting as a data source for industrial malicious activity analysis systems and automated security monitoring systems.

Audit protocol includes:

1. SQL language constructions:

  • Accessing data (SELECT, INSERT, MERGE, UPDATE, DELETE), including SQL dialects and language modifications from ORACLE, included in SQL 99 and 2006 standard (constructions with subqueries, hints to the optimizer, recursive and hierarchical constructions, analytical constructions, etc.)
  • Change of DB schema (ALTER, CREATE, DROP, TRUNCATE)
  • Conditional access to data (CREATE USER, ALTER USER, DROP USER, ALTER LOGIN, DROP LOGIN, CREATE LOGIN, GRANT, REVOKE)
  • Users authentication (successful/unsuccessful)
  • Management of data modification process features, read/write parameters and transaction isolation level (SET [LOCAL]-TRANSACTION)
  • Management of audit and statistics analyses (ANALYZE, AUDIT)
  • Associates management (ASSOCIATE STATISTICS)
  • Change of data types and object types (CREATE TYPE, CREATE OR REPLACE TYPE, ALTER TYPE, DROP TYPE)

2.PL\SQL language constructions (create, modify, execute anonymous blocks, procedure, function, object type methods etc.)

3.Parameterized queries variables values

Logs are files with queries, Oracle session opening and closing. Each file include plain-text with delimiter "{}".

Open session files, beginning from SESSOPEN, contain the following fields:

DTTMbegin session time (timestamp (microseconds))
SESSIDsession ID
USERIPuser IP
DBIPDBMS server IP
USERPORTuser port
DBPORTDB port
ORAPIDOracle process identifier
STIMEoracle local start time
ORAHOMEORACLE_HOME variable
SIDDBMS Oracle system ID
CLIclient name
OSUSROS user name
DBUSRDB user name
HOSTuser workstation host name
TERMuser workstation terminal name

Query files, beginning from REQUEST, contain the following fields:

DTTMbegin session time (timestamp (microseconds))
SESSIDsession ID
DTTM_DIFFtime (microseconds) between first and last rows
ROWS_COUNTcount of rows, affected by the query
ERRORerror codes
QUERYquery text
EXTENSIONS expanded query information:
tablestables participating in the query
fieldsfields participating in the query
kindquery kind
typequery type
bindsvariable binds

Close session files , beginning from SESSCLOSE, contain the following fields:

DTTMbegin session time (timestamp (microseconds))
SESSIDsession ID

If you would like to see OraParser in action, please attach a copy of your network traffic to Oracle DBMS in pcap format and fill in the form. You will take back audit logs soon.

Pcap* (up to 100MB)
Choose attach file