In February 2008, I drafted a document (specs) on a program that I called PPADS back then (Perl Passive Asset Detection System). The program was thought to be a Perl implementation of PADS (Passive Asset Detection System) which is a program that listens to a network and attempts to provide an up-to-date look at the hosts and services running on the network.
The Output was now:
(MAC address of the asset that sent the IP packet) source_ip:port -> (MAC address of the asset that is receiving the IP packet) destination_ip:port -> Service identification string
(001f3caedaa9) 22.214.171.124:80 -> (001f3b938df8) 10.10.10.123:42753 -> Apache 2.2.3 Debian
But my initial draft of my document had more… If it says Debian.. and maybe even Etch… in the service string… It might even be a Linux server 🙂 So my draft also includes Operating System guessing and fingerprinting like p0f does.
Also, one can look at strings in client communication etc.:
“Mozilla/5.0 (X11; U; Linux i686; en-US; rv:126.96.36.199) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5”
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:188.8.131.52) Gecko/2009011913 Firefox/3.0.6”
So client fingerprinting is also on the road map.
I had some names in my head on what to call the project… It ended up with PRADS – Passive Real-time Asset Detection System.
But they can both be more, and I don’t see a good reason for not implementing such a great thing in one combined program. (And I believe that each time you fire up another “libpcap sniffer” on your sensor, it suck juice out of your sensor, so if you use the sensor to do IPS/IDS, your total capability lowers). Also, they seem to lack active development and signature/fingerprints updates.
I am no hardcore C/C++ hacker. Perl is easy and fast 🙂 And I want one agent to “rule them all”… meaning that I want one agent that will give me (and others) insight into what is going on in the network. Not 2,3,4…10…
The project is hosted on github, and people who might be interested in joining the project, are welcome 🙂
My dream right now, is to have a GUI that shows you an updated view of what clients(OS and Clients programs) and servers(OS and services) are running/beeing used on your network *right now*
Visibility is gold.