• Stars
    star
    229
  • Rank 174,666 (Top 4 %)
  • Language Standard ML
  • Created almost 16 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Passive Real-time Asset Detection System

PRADS

 ______
|  __  |                  __
| _____|.----..------..--|  |.-----. (tm)
|  |    |  |-'|  __  ||  _  |__  --'
|__|    |__|  |____|_||_____|______|

Passive Real-time Asset Detection system!

Baut'

PRADS stands for Passive Real-time Asset Detection System. PRADS passively listens to network traffic and gathers information about hosts and services sending traffic. One potential use of this data is to map out your network without performing an active scan (no packets are ever sent), allowing you to enumerate active hosts and services. It can also be used together with your favorite IDS/IPS setup for "event to application" correlation.

As is!

This program is provided 'as is'. We take no responsibility for anything :)

Lic

GPL v2 or better? See LICENSE

Install

See doc/INSTALL

Usage

There are several ways to use PRADS. PRADS has many commandline options, see the prads(1) man page.

Example

prads -i eth0 -l prads.log

If you run the prads service, the assets it sees will be dumped into /var/log/prads.log and look like this:

10.43.2.181,0,54354,6,SYN,[65535:64:1:64:M1460,N,W2,N,N,T,S,E,E:P:MacOS:iPhone OS 3.1.3 (UC):link:ethernet/modem:uptime:1574hrs],0,1300882012
10.43.2.181,0,0,0,ARP (Apple),C8:BC:C8:48:65:CA,0,1300882017

This information can be further processed, inserted into an SQL database etc.

The general format of this data is:

asset,vlan,port,proto,service,[service-info],distance,discovered

... where ...

asset        = The ip address of the asset.
vlan         = The virtual lan tag of the asset.
port         = The port number of the detected service.
proto        = The protocol number of the matching fingerprint.
service      = The "Service" detected, like: TCP-SERVICE, UDP-SERVICE, SYN, SYNACK,MAC,.....
service-info = The fingerprint that the match was done on, with info.
distance     = Distance based on guessed initial TTL (service = SYN/SYNACK)
discovered   = The timestamp when the data was collected

Let it sniff your network for a while and you will be able to do anomaly detection.

SNORT (snort.org)

The prads2snort script may be used to convert the prads log into a hosts_attribute.xml file that can be used by snort to decide fragmentation policies, for better event detection. http://snort.org/docs/snort_manual/node189.html

Sguil (sguil.net)

You can feed events from PRADS straight into sguil replacing pads by using the sguil pads agent. PRADS supports the -f fifo argument and the 'fifo: /path/to/fifo' configuration option to feed events into a FIFO.

SQL database, WebGUI etc.

This is on the agenda. There will be a webgui to the database, for easy browsing of your network.

More Repositories

1

passivedns

A network sniffer that logs all DNS server replies for use in a passive DNS setup
C
1,614
star
2

cxtracker

Connection Tracker is a passive network connection tracker for profiling, history, auditing and network discovery.
C
46
star
3

echidna

Network Security Monitoring Framework
Perl
46
star
4

activedns

An active domain name query tool to help keep track of domain name movements...
Perl
16
star
5

pads

This is a fork of the last pads version (1.2) from Matt Shelton with the sguil patches and other patches to make it work on modern operating systems.
C
13
star
6

fpcgui

Full Packet Capture GUI
PHP
12
star
7

polman

The Advanced Policy-Manager for IPS/IDS Sensors
Perl
10
star
8

snort_preprocessor_dssl

A preprocessor for Decrypting SSL traffic in Snort
C
9
star
9

sidrule

sidrule is a simple bash-script to manage Snort/Emerging Threats/Suricata rules based on its sid
8
star
10

sidfarmer

GUI administration for Snort/Suricata IDS/IPS engines
Perl
8
star
11

nftracker

Network File Tracker (NFT)
C
8
star
12

cerdo

Cerdo - TUI to handle Snort/Suricata/VRT/ET rules and sensors
Perl
5
star
13

dote

Defender Of The Ethernet
Shell
5
star
14

ffss

A Framework For Sid Sharing
Perl
4
star
15

sguil-tools

My personal collection of some sguil tools that can be shared with the public...
Perl
4
star
16

prads-perl-version

We made a POC in perl, but consentrating on the C version. Here for historical reasons and to easy test out new ideas.
Standard ML
4
star
17

gamelinux.github.com

World Wide Web
3
star
18

pkg-fpcgui

Debian build repo for FPCGUI
2
star
19

alcanfw

A Linux Client Application+Netfilter FireWall
Perl
1
star
20

cxtracker-perl-version

I made the POC in perl, but consentrating on the C version. Here for historical reasons.
Perl
1
star