OpenSourceSoftware, PRADS, Security

PRADS status update…

PRADS is finally getting somewhere!

Since last time, Kacper Wysocki has joined the project, working mostly on the OS SYN/SYN-ACK fingerprinting and the DBI implementation and being a great resource in all aspects of the project.

So, at this stage, PRADS now has implemented:

* OS fingerprinting, both SYN and SYN+ACK (IP/TCP) (Compatible with p0f fingerprints)
* TCP service fingerprinting (Signatures from/compatible with pads)
* TCP discovery of hosts (SYN and SYN+ACK)
* UDP discovery of hosts (Work to be done on UDP service detection)
* UDP OS fingerprinting
* ARP discovery of hosts
* MAC vendor fingerprinting (from ARP data)
* ICMP discovery of host
* ICMP OS fingerprinting
* perl DBI support (sqlite (default), MySQL, PostgreSQL, Oracle, MSSQL…)
* Daemon mode
* Some packet statistics (received,dropped,drop-rate and dropped by interface)

All this is done passively.

ICMP and UDP fingerprinting is not 100% accurate, but it gives an indication and therefor added for building up a higher confidence level for a “total” OS detection/fingerprinting.

One of my main goals, was to use PRADS with my Sguil setup. PRADS would be replacing PADS and also giving OS info to the Sguil console. Also I would like PRADS to populate the attribute_table for Snort automatically. See for more info on the attribute_table and why you should need it.

PRADS was also intended to work separately, and now that we have support for different databases through perl DBI, it should be ready for a GUI (WebGUI maybe..). The GUI could extract the info, and maybe draw a “real-time” map of your network… First off I believe, would be the need for grouping stuff by OS, Services and IP/mask etc.

Some near future TODOs:
* TCP Service discovery/matching needs polishing for performance
* UDP Service detection (To the extent it is possible of doing so)
* Client application detection/fingerprinting
* Performance optimization all over
* Code clean up
* WebGUI or some GUI

We would also very much like help on verifying/adding fingerprints (SYN, SYN-ACK, ICMP and UDP). Testing and feedback on ideas/thoughts would also be much appreciated 😀

“Know your assets!”


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s