PADS – Passive Asset Detection Engine
Posted by creining | Filed under Security
I’ve known about PADS, the Passive Asset Detection Engine, probably since it was first publically released. I finally had a chance to try it out and I think it is useful in identifying asset types without using active means. You can run PADS on existing pcap files or run it in daemon mode and have it listen on an interface. I decided to chew through some existing full pcaps from a Sguil sensor by using the -r flag and having PADS only report on my network assets using the -n flag:
for i in /var/log/snort/dailylogs/2005-02-2*/*; do ./pads -n 10.0.0.0/23 -r $i; done
PADS writes the data to a CSV file called assets.csv by default. The data in this file looks like this:
10.0.0.131,25,6,smtp,Generic SMTP - Possible Postfix,110900691810.0.0.130,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691810.0.0.163,443,6,ssl,OpenSSL,110900691910.0.0.133,22,6,ssh,OpenSSH 3.7.1p2 (Protocol 2.0),110900691910.0.0.156,0,1,ICMP,ICMP,1109006919
You can run a report using the PADS Text Reporting Module pads-report.pl. A snippet of the report looks like this:
1 ------------------------------------------------------IP: 10.0.0.135ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p1 (Protocol 2.0)13782 unknown unknown 2 ------------------------------------------------------IP: 10.0.0.138ICMP: Enabled Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)13782 unknown unknown 3 ------------------------------------------------------IP: 10.0.0.144 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0) 4 ------------------------------------------------------IP: 10.0.0.145 Port Service Application 22 ssh OpenSSH 3.7.1p2 (Protocol 2.0)7040 www Unknown HTTP (HTTP/1.1)
PADS makes its decisions on what the application is by using a signature file, much like the one used by NMAP when using the -sV flag to do service detection. Here’s what some of the Apache signatures look like in the PADS signature file:
www,v/Apache/$1//,Server: Apache\/([\S]+)[\r\n]www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+\((.*)\)www,v/Apache/$1/$2/,Server: Apache\/([\S]+)[\s]+([\S]+)www,v/Apache///,Server: Apache[\r\n]
I think this information would be a great complement within the Sguil console for doing Network Security Monitoring. Tony Lukasavage contributed code to PADS called ATM (Assets to MySQL) which takes the asset file and INSERTs the data into a MySQL database. Also, when browsing the PADS forums on Sourceforge I saw that Matt Shelton, PADS author, wrote “I’m working on something similar to the Snort/Barnyard approach. It’s the same concept; the detection engine will be separated from the IO module. Look for it in the upcoming v1.2!” So, I think when Matt gets that complete it will be trivial to hack PADS into Sguil.
Comments are closed.