7
- Passive: Records and identifies traffic seen on a network without actively "scanning" a system.
8
There will never be a packet sent from the pads applications.
10
- Portable: Has the ability to be placed easily on a remote system. Does not require additional
11
external libraries other than those associated with libpcap.
13
- Lightweight: Logging is sent to a simple CSV file. There is no need for a database or other data
14
repository installed on the local machine. All correlation is done outside of the pads program.
7
- Passive: Records and identifies traffic seen on a network without
8
actively "scanning" a system. There will never be a packet sent from
11
- Portable: Has the ability to be placed easily on a remote system.
12
Does not require additional external libraries other than those
13
associated with libpcap.
15
- Lightweight: Logging is sent to a simple CSV file. There is no need
16
for a database or other data repository installed on the local
17
machine. All correlation is done outside of the pads program.
19
Asset management is an important factor in information security. A good security administrator should
20
keep track of all devices attached to the network. Even though active scanners such as nmap and Nessus
21
are valuable tools, sometimes it necessary to identify network devices in a passive manner. Pads was
22
developed to sit along side the promiscuous interface of an IDS device. It will listen to network traffic
23
and attempt to identify the applications running on the network.
22
Asset management is an important factor in information security. A good
23
security administrator should keep track of all devices attached to the
24
network. Even though active scanners such as nmap and Nessus are
25
valuable tools, sometimes it necessary to identify network devices in a
26
passive manner. Pads was developed to sit along side the promiscuous
27
interface of an IDS device. It will listen to network traffic and
28
attempt to identify the applications running on the network.
28
By day I am an IDS analyst for a managed security provider. One of the challenges I face on a daily
29
basis is the inability to obtain customer asset data, particularly with the larger customers. This
30
information is critical not only for analysis but also device placement and tuning.
32
Many IDS deployments consist of a device with two interfaces. One interface contains a promiscuous
33
link to a remote network and the other link is for management and lives in the DMZ. This makes
34
active network scanners, like nmap, useless because the IDS team does not have anything but a one
35
way link into the network. They can only listen to traffic, not produce anything.
37
Pads was developed to solve this problem. It is modeled after my favorite scanning tool nmap,
38
specifically the .-sV. option. Unlike nmap, it will not generate any traffic while mapping the
39
network. Unfortunately, this method is potentially less accurate than active scanning but is often
40
necessary in an IDS environment.
42
As mentioned earlier, I am an IDS analyst by day. I see programming as a tool to aid me in my job.
43
This project was developed outside of work since I do not get paid to code. It was written to
44
fulfill a need for me. Hopefully others within the community will also get the chance to benefit
33
By day I am an IDS analyst for a managed security provider. One of the
34
challenges I face on a daily basis is the inability to obtain customer
35
asset data, particularly with the larger customers. This information is
36
critical not only for analysis but also device placement and tuning.
38
Many IDS deployments consist of a device with two interfaces. One
39
interface contains a promiscuous link to a remote network and the other
40
link is for management and lives in the DMZ. This makes active network
41
scanners, like nmap, useless because the IDS team does not have anything
42
but a one way link into the network. They can only listen to traffic,
45
Pads was developed to solve this problem. It is modeled after my
46
favorite scanning tool nmap, specifically the .-sV. option. Unlike
47
nmap, it will not generate any traffic while mapping the network.
48
Unfortunately, this method is potentially less accurate than active
49
scanning but is often necessary in an IDS environment.
51
As mentioned earlier, I am an IDS analyst by day. I see programming as
52
a tool to aid me in my job. This project was developed outside of work
53
since I do not get paid to code. It was written to fulfill a need for
54
me. Hopefully others within the community will also get the chance to
64
74
-w <file> : Dump data into file other than assets.csv.
66
Additional arguments will be processed as a libpcap filter. For example,
67
the following command will not only use interface hme1 but will also only
68
search for assets on port 22:
76
Additional arguments will be processed as a libpcap filter. For
77
example, the following command will not only use interface hme1 but will
78
also only search for assets on port 22:
70
80
pads -i hme1 port 22
74
Regular expression support is provided by the PCRE library package, which is open source software,
75
written by Philip Hazel, and copyright by the University of Cambridge, England. It can be found on
76
the following FTP site:
77
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
84
Regular expression support is provided by the PCRE library package,
85
which is open source software, written by Philip Hazel, and copyright by
86
the University of Cambridge, England. It can be found on the following
88
ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/
82
Please let me know if you have constuctive feedback, need help, or have a bug / issue with the
83
application. For the time being, please contact me at matt@mattshelton.com.
93
Please let me know if you have constuctive feedback, need help, or have
94
a bug / issue with the application. For the time being, please contact
95
me at matt@mattshelton.com.
88
$Id: README,v 1.2 2005/06/15 22:09:34 mattshelton Exp $
101
vim:expandtab:sw=4:ts=4:tw=72:
102
$Id: README,v 1.2 2005/11/02 23:56:12 jfs Exp $
added
removed
doc/README
