Information, OpenSourceSoftware, PRADS, Security, Snort

Populating Snorts host attribute tables with PRADS

It has been a long journey, but after about two years, I finally got a way to populate Snorts host attribute table, automagically(tm)!

When I started this, my first option was to use nmap to scan the network to populate the information. This was scratched, as my goal was to be non intrusive and always up to date (The minute a new host popped up, I want to know). Scanning 65535 ports times two for each of the hosts Im monitoring is not an options also… I started to look at the Open Source tools out there, on which to use to get the information from. As I was familiar with p0f and PADS, I saw that they could do the job, but they needed some band-aid to work together, and they where lacking active development… p0f has a DB patch/version, and I already had PADS hooked up in Sguil, so I had the info in a DB, but not in the way I wanted it. So I started out on a journey to merge the two projects, enhance them, and try to speed things up a bit.

The project is still in development, but the main parts are done. It is useful in the way that it will print out information about detected hosts, like this in verbose mode (And yes, it also does IPv6):

2a02:c0:1002:100:21d:72ff:fe92:728,[syn:S4:64:1:40:M1440,S,T,N,W7:Z],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[synack:5712:63:1:40:M1440,S,T,N,W7:ZAT],[Linux:2.6 (newer, 7) IPv6],[link:IPv6/IPIP],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[ack:45:64:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:2hrs],[distance:0]
2a02:c0:1002:10::2,[service:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:1]
2a02:c0:1002:10::2,[ack:45:63:1:*:N,N,T:ZAT],[Linux:2.6],[uptime:4069hrs],[distance:1]
2a02:c0:1002:100:21d:72ff:fe92:728,[client:OpenSSH 5.1p1 (Protocol 2.0):22:6],[distance:0]

At the moment, it also makes a file in your /tmp/ dir, /tmp/prads-asset.log, which presents the info in the following way:

2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,SYN,[S4:64:1:40:M1440,S,T,N,W7:Z:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SYNACK,[5712:63:1:40:M1440,S,T,N,W7:ZAT:Linux:2.6 (newer, 7) IPv6:link:IPv6/IPIP:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,56268,6,ACK,[45:64:1:*:N,N,T:ZAT:Linux:2.6:uptime:2hrs],0,1269420770
2a02:c0:1002:10::2,0,22,6,SERVER,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],1,1269420770
2a02:c0:1002:10::2,0,22,6,ACK,[45:63:1:*:N,N,T:ZAT:Linux:2.6:uptime:4069hrs],1,1269420770
2a02:c0:1002:100:21d:72ff:fe92:728,0,22,6,CLIENT,[ssh:OpenSSH 5.1p1 (Protocol 2.0)],0,1269420770

Input from the community on how to present the information/output for a best possible way for integration with other applications are welcome.

To try it out, this is what I believe is necessary to install on my Ubuntu machine to run it:

$ sudo aptitude install build-essential git-core libpcre3-dev libpcap0.8-dev
$ git clone http://github.com/gamelinux/prads.git
$ cd prads/src/ && make
$ # then to start it
$ sudo ./prads -i ethX -v

For populating the Snort host attribute table, there is a script in the tools dir, prads2snort.pl, which takes the prads-asset.log file and processes it.
Example:

$ perl prads2snort.pl -i prads-asset.log -o hosts_attribute.xml -v -f

The -v (verbose) mode prints out some details, which can be good to check to see if stuff seems to be detected correctly.

Snort supports reloading of the attribute table if you give it the signal 30. (kill -30 <snort-pid>). This means, that if you discover a difference in your host attribute table (Say you got a new http service some where, or a host has changed OS), you can swap out the attribute file with a new updated one, and tell snort to reload its attribute file without restarting snort! Darn cool if you ask me 🙂

You can read more about Snort and its host attribute table here, and you can read about another tool called Hogger here. Also, you should read the Snort documentation section 2.7 (around page 104/105) “Host Attribute Table”.

I would once again like to thank Michal Zalewski and Matt Shelton for their work on p0f and pads. I would also like to thank Martin Roesch & The Snort Team (And all the contributers) for a great application and all the effort they have put into Snort and its surroundings. (Virtually giving you the price for best Open Source security application 2000 – 2010!).

Attribute Table Loaded with 980 hosts

Attribute Table Reload Thread Starting…
Attribute Table Reload Thread Started, thread 363022672 (15333)

$ /bin/kill -30 15333

Swapping Attribute Tables.

$ /bin/kill 15333

===========================================
Attribute Table Stats:
Number Entries: 980
Table Reloaded: 1
===========================================

Standard

7 thoughts on “Populating Snorts host attribute tables with PRADS

  1. Andy says:

    One question, the longer I let “./prads -i ethX” run, the better my host attribute file should end up being?

    For instance, lets think about 1 IP. Say you have 192.168.0.1 and you let the program run for a min or so and it collects some data about 192.168.0.1. What happens if you start the program again and let it run for an hour and it collects more data on 192.168.0.1 that was missing the first time? Does it add to the prads-assets.log file and fill in the missing info?

    I downloaded and installed it on my Ubuntu 9.10 machine without issue and ran successfully the first time. I had to remove the first couple lines in the xml file b/c you added your own info in there and it somehow had an IP host of 1.0.0.10. Other than that, it seems to be read into snort ok.

    Like

    Reply

  2. Andy,

    Thats right. The more info you gather, the better it will populate the host attribute table.

    That said, technically speaking, the TCP SYN is the most important fingerprint to have, to guess the OS. Next is the SYN-ACK. Then its RST,FIN and Stray-ACKs.

    For services, its the service string that one might see from a server. Example:
    Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8c

    I have tried to build in logic to detect when a host changes OS, say in a wireless environment, in the prads2snort script.

    PRADS appends to the prads-assets.log, so yes, you can restart PRADS as often as you wish, and the data would rather get better (when I think about it) as you would register more SYNs and SYN-ACKs which will help the logic of prads2snort.pl.

    I added my info in the file, as it has no effect on snort. As to why you have a host with ip 1.0.0.10, I can only guess that this is a host that PRADS has seen while sniffing (check prads-asset.log). prads2snort should not add that, and if it does, I would be glad to debug it 🙂

    Thanks for taking the time and giving feedback!

    Like

    Reply
  3. ll says:

    hi, what I want is not intrusive to detect HTTP service . can you release other Linux version of PRADS ? I just see your git://github.com/gamelinux/prads.git. I want to install in centos.

    Like

    Reply
  6. Paul says:

    Pretty nice post. I just stumbled upon your blog and wanted to say that I have really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!

    Like

    Reply

  7. Pingback: Updating Snort’s host attribute table with Nmap and Hogger. | System Noise

Leave a comment