06.29.10
Prads 0.2.0 released
As Kacper stated here, PRADS 0.2.0 has been released!
You can download some debian packages here, or you can check out the GIT repo here.
Bug reports, issues, thoughts or any comments are very welcome!
Enjoy!
03.24.10
Populating Snorts host attribute tables with PRADS
It has been a long journey, but after about two years, I finally got a way to populate Snorts host attribute table, automagically(tm)!
When I started this, my first option was to use nmap to scan the network to populate the information. This was scratched, as my goal was to be non intrusive and always up to date (The minute a new host popped up, I want to know). Scanning 65535 ports times two for each of the hosts Im monitoring is not an options also… I started to look at the Open Source tools out there, on which to use to get the information from. As I was familiar with p0f and PADS, I saw that they could do the job, but they needed some band-aid to work together, and they where lacking active development… p0f has a DB patch/version, and I already had PADS hooked up in Sguil, so I had the info in a DB, but not in the way I wanted it. So I started out on a journey to merge the two projects, enhance them, and try to speed things up a bit.
The project is still in development, but the main parts are done. It is useful in the way that it will print out information about detected hosts, like this in verbose mode (And yes, it also does IPv6):
2a02:c0:1002:100:21d:72ff:fe92:728,[syn:S4:64:1:40:M1440,S,T,N,W7:Z],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[synack:5712:63:1:40:M1440,S,T,N,W7:ZAT],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[ack:45:64:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[service:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:1]
2a02:c0:1002:10::2,[ack:45:63:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[client:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:0]
At the moment, it also makes a file in your /tmp/ dir, /tmp/prads-asset.log, which presents the info in the following way:
2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,SYN,[S4:64:1:40:M1440,S,T,N,W7:Z:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SYNACK,[5712:63:1:40:M1440,S,T,N,W7:ZAT:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,ACK,[45:64:1:*:N,N,T:ZAT:Linux:2.6:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SERVER,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],1,1269420770
2a02:c0:1002:10::2,0,22,6,ACK,[45:63:1:*:N,N,T:ZAT:Linux:2.6:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,22,6,CLIENT,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],0,1269420770
Input from the community on how to present the information/output for a best possible way for integration with other applications are welcome.
To try it out, this is what I believe is necessary to install on my Ubuntu machine to run it:
$ sudo aptitude install build-essential git-core libpcre3-dev libpcap0.8-dev
$ git clone http://github.com/gamelinux/prads.git
$ cd prads/src/ && make
$ # then to start it
$ sudo ./prads -i ethX -v
For populating the Snort host attribute table, there is a script in the tools dir, prads2snort.pl, which takes the prads-asset.log file and processes it.
Example:
$ perl prads2snort.pl -i prads-asset.log -o hosts_attribute.xml -v -f
The -v (verbose) mode prints out some details, which can be good to check to see if stuff seems to be detected correctly.
Snort supports reloading of the attribute table if you give it the signal 30. (kill -30 <snort-pid>). This means, that if you discover a difference in your host attribute table (Say you got a new http service some where, or a host has changed OS), you can swap out the attribute file with a new updated one, and tell snort to reload its attribute file without restarting snort! Darn cool if you ask me 
You can read more about Snort and its host attribute table here, and you can read about another tool called Hogger here. Also, you should read the Snort documentation section 2.7 (around page 104/105) “Host Attribute Table”.
I would once again like to thank Michal Zalewski and Matt Shelton for their work on p0f and pads. I would also like to thank Martin Roesch & The Snort Team (And all the contributers) for a great application and all the effort they have put into Snort and its surroundings. (Virtually giving you the price for best Open Source security application 2000 - 2010!).
Attribute Table Loaded with 980 hosts
…
Attribute Table Reload Thread Starting…
Attribute Table Reload Thread Started, thread 363022672 (15333)
…
$ /bin/kill -30 15333
…
Swapping Attribute Tables.
…
$ /bin/kill 15333
…
===========================================
Attribute Table Stats:
Number Entries: 980
Table Reloaded: 1
===========================================
…
03.03.10
My version of pads-1.2-sguil-mods
Saturday 18 Jun 2005 Matthew J. Shelton released PADS. PADS is a great tool, and the security industry really needs a good open source passive asset tool. But since 2005, PADS development has stopped, and there are no place to send new signature or patches/bugs too, and hope that they will get added/fixed. Also, logical, there are no new features being added…
I have used PADS in my Sguil setup, but have seen that it lacks stuff that I wanted to have there, and also, there has been some problems running PADS on newer operation systems. I have a copy of the pads-1.2-sguil-mods.tar.gz, and I added it to github yesterday, fixed some issues when writing data to the FIFO file for Sguil, added some patches, among vorants vlan patch. I compiled it on Ubuntu Hardy and Jaunty (x86_64), and it has been running fine for 12+ hours.
If you try out my version of PADS and have issues, I will try to solve them. I see there are some, in stuff that I don’t use, and if I one day find the urge, I’ll fix them on my own.
I should probably also mention, shamelessly again, that there is a project that takes PADS to the next level and then some more….
You can read about PRADS here and what more it can do for you.
05.27.09
PRADS status update…
PRADS is finally getting somewhere!
Since last time, Kacper Wysocki has joined the project, working mostly on the OS SYN/SYN-ACK fingerprinting and the DBI implementation and being a great resource in all aspects of the project.
So, at this stage, PRADS now has implemented:
* OS fingerprinting, both SYN and SYN+ACK (IP/TCP) (Compatible with p0f fingerprints)
* TCP service fingerprinting (Signatures from/compatible with pads)
* TCP discovery of hosts (SYN and SYN+ACK)
* UDP discovery of hosts (Work to be done on UDP service detection)
* UDP OS fingerprinting
* ARP discovery of hosts
* MAC vendor fingerprinting (from ARP data)
* ICMP discovery of host
* ICMP OS fingerprinting
* perl DBI support (sqlite (default), MySQL, PostgreSQL, Oracle, MSSQL…)
* Daemon mode
* Some packet statistics (received,dropped,drop-rate and dropped by interface)
All this is done passively.
ICMP and UDP fingerprinting is not 100% accurate, but it gives an indication and therefor added for building up a higher confidence level for a “total” OS detection/fingerprinting.
One of my main goals, was to use PRADS with my Sguil setup. PRADS would be replacing PADS and also giving OS info to the Sguil console. Also I would like PRADS to populate the attribute_table for Snort automatically. See http://snort.org/docs/ for more info on the attribute_table and why you should need it.
PRADS was also intended to work separately, and now that we have support for different databases through perl DBI, it should be ready for a GUI (WebGUI maybe..). The GUI could extract the info, and maybe draw a “real-time” map of your network… First off I believe, would be the need for grouping stuff by OS, Services and IP/mask etc.
Some near future TODOs:
* TCP Service discovery/matching needs polishing for performance
* UDP Service detection (To the extent it is possible of doing so)
* Client application detection/fingerprinting
* Performance optimization all over
* Code clean up
* WebGUI or some GUI
We would also very much like help on verifying/adding fingerprints (SYN, SYN-ACK, ICMP and UDP). Testing and feedback on ideas/thoughts would also be much appreciated 
“Know your assets!”
02.19.09
PRADS - Passive Real-time Asset Detection System
In February 2008, I drafted a document (specs) on a program that I called PPADS back then (Perl Passive Asset Detection System). The program was thought to be a Perl implementation of PADS (Passive Asset Detection System) which is a program that listens to a network and attempts to provide an up-to-date look at the hosts and services running on the network.
My main goal was to use it with Sguil instead of PADS.
In August 2008 I implemented a proof of concept, and then in September Jan Henning Thorsen polished the code, and implemented the part that loads the PADS original service signatures.
The Output was now:
(MAC address of the asset that sent the IP packet) source_ip:port -> (MAC address of the asset that is receiving the IP packet) destination_ip:port -> Service identification string
(001f3caedaa9) 87.238.45.168:80 -> (001f3b938df8) 10.10.10.123:42753 -> Apache 2.2.3 Debian
But my initial draft of my document had more… If it says Debian.. and maybe even Etch… in the service string… It might even be a Linux server So my draft also includes Operating System guessing and fingerprinting like p0f does.
Also, one can look at strings in client communication etc.:
“Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5″
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6″
So client fingerprinting is also on the road map.
I had some names in my head on what to call the project… It ended up with PRADS - Passive Real-time Asset Detection System.
At the time of writing, PRADS has implemented Service Detection, and a PoC of OS fingerprinting.
I am currently working on loading the original p0f syn-fingerprints and basing the detection on that.
Why I am I doing this ?
PADS is really cool…
p0f is really cool
But they can both be more, and I don’t see a good reason for not implementing such a great thing in one combined program. (And I believe that each time you fire up another “libpcap sniffer” on your sensor, it suck juice out of your sensor, so if you use the sensor to do IPS/IDS, your total capability lowers). Also, they seem to lack active development and signature/fingerprints updates.
I am no hardcore C/C++ hacker. Perl is easy and fast And I want one agent to “rule them all”… meaning that I want one agent that will give me (and others) insight into what is going on in the network. Not 2,3,4…10…
The project is hosted on github, and people who might be interested in joining the project, are welcome
My dream right now, is to have a GUI that shows you an updated view of what clients(OS and Clients programs) and servers(OS and services) are running/beeing used on your network *right now*
Visibility is gold.
