PRADS - inspired by passive.sourceforge.net, lcamtuf.coredump.cx/p0f and others…
Is a Passive Real-time Asset Detection System.
It passively listen to network traffic and gathers information on hosts and services it sees on the network.
This information can be used to map your network, letting you know what services and hosts are alive/used,
or can be used together with your favorite IDS/IPS setup for "event to host/service" correlation.
Gathering info about your hosts in real-time, will also let you detect assets that are just connected
to the network for a short period of time, where a active network scan (nmap etc.) would take long time,
and not common to run continually, hence missing the asset.
PRADS can also help add info to inventory programs like http://racktables.org/ or Nagios etc.
The initial goal of implementing PRADS, was to make the host_attribute_table.xml for Snort (automatically)
and to add more info into the Sguil application. The list of useful stuff that PRADS can be used for
is growing all the time. PRADS aims to be the one-stop-shop for passive asset detection. If you can
detect it passively, PRADS should have it implemented!
PRADS is currently shipped in two versions. One written in perl, which is an fast
and easy way to get started. The other one is written in C and aims to be the preferred
version for high speed networks and permanent monitoring. Some features are not implemented
in both versions, but here is an idea of what PRADS aims at:
* OS fingerprinting (IPv4 and IPv6): - TCP: SYN, SYN+ACK, Stray-ACK, RST, FIN (Compatible with p0f fingerprints) - UDP (Not seen in any other tools before!) - ICMP (Not seen in any other tools before!) - Others to be implemented (DHCP and behavior based etc) * Service and client detection (IPv4 and IPv6): - TCP services and client detection (Client detection not seen in any other tools before!?) - UDP services and client detection (Not seen in any other tools before!?) * Asset detection: - If a asset uses IPv4 or IPv6, it will be detected. - ARP detection (MAC addresses of assets) - VLAN detection - IP in IP and GRE decoding... The perl version supports DBI for database handling (sqlite (default), MySQL, PostgreSQL, Oracle, MSSQL…) The C version is based on output modules, and stdout (done), logfile (done-) and binary mode is currently being developed.
There are currently two mailing lists you can follow:
Users and Developers
If you want to help on developing prads or if you want to check it
out, you are very welcome!
Trac Admin wanted
This trac just got born and needs to grow up.