In February 2008, I drafted a document (specs) on a program that I called PPADS back then (Perl Passive Asset Detection System). The program was thought to be a Perl implementation of PADS (Passive Asset Detection System) which is a program that listens to a network and attempts to provide an up-to-date look at the hosts and services running on the network.
My main goal was to use it with Sguil instead of PADS.
In August 2008 I implemented a proof of concept, and then in September Jan Henning Thorsen polished the code, and implemented the part that loads the PADS original service signatures.
The Output was now:
(MAC address of the asset that sent the IP packet) source_ip:port -> (MAC address of the asset that is receiving the IP packet) destination_ip:port -> Service identification string
(001f3caedaa9) 87.238.45.168:80 -> (001f3b938df8) 10.10.10.123:42753 -> Apache 2.2.3 Debian
But my initial draft of my document had more… If it says Debian.. and maybe even Etch… in the service string… It might even be a Linux server 🙂 So my draft also includes Operating System guessing and fingerprinting like p0f does.
Also, one can look at strings in client communication etc.:
“Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5”
“Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6”
So client fingerprinting is also on the road map.
I had some names in my head on what to call the project… It ended up with PRADS – Passive Real-time Asset Detection System.
At the time of writing, PRADS has implemented Service Detection, and a PoC of OS fingerprinting.
I am currently working on loading the original p0f syn-fingerprints and basing the detection on that.
Why I am I doing this ?
PADS is really cool…
p0f is really cool 🙂
But they can both be more, and I don’t see a good reason for not implementing such a great thing in one combined program. (And I believe that each time you fire up another “libpcap sniffer” on your sensor, it suck juice out of your sensor, so if you use the sensor to do IPS/IDS, your total capability lowers). Also, they seem to lack active development and signature/fingerprints updates.
I am no hardcore C/C++ hacker. Perl is easy and fast 🙂 And I want one agent to “rule them all”… meaning that I want one agent that will give me (and others) insight into what is going on in the network. Not 2,3,4…10…
The project is hosted on github, and people who might be interested in joining the project, are welcome 🙂
My dream right now, is to have a GUI that shows you an updated view of what clients(OS and Clients programs) and servers(OS and services) are running/beeing used on your network *right now*
Visibility is gold.
GameLinux 
Could you list the dependencies of this project? 🙂
(Using Ubuntu)
I have found libnet-pcap-perl and libclass-dbi-perl, but the last one drags with it alot of other packages… I don’t like installing all kinds of packages, if not needed.
Also, could you implement a option for pointing to the config-files? Like –conf=$HOME/prads/etc/ .. I checked it out from GIT, and it whined about not finding /etc/prads/prads.conf .. But until there is a way to install it (or am I missing something?), it would be nice just to run it directly from the git checkout directory.
Kind regards
Jørn
LikeLike
Jørn,
We will post a better *howto* on how to get it up and running. Its not much hassle;
$ mkdir -p /etc/prads
$ ln -s /your/path/to/git/prads/etc/* /etc/prads/
Thanks for the feedback, and we will look into it 🙂
E
LikeLike