Passive Asset Detection System
    

 

About

  

  PADS is a signature based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.  

  Goals:  

  		• Passive: Records and identifies traffic seen on a network without actively "scanning" a system. There will never be a packet sent from the pads applications.  

  		• Portable: Has the ability to be placed easily on a remote system. Does not require additional external libraries other than those associated with libpcap.  

  		• Lightweight: Logging is sent to a simple CSV file. There is no need for a database or other data repository installed on the local machine. All correlation is done outside of the pads program.  

      Description:  

      Asset management is an important factor in information security. A good security administrator should keep track of all devices attached to the network. Even though active scanners such as nmap and Nessus are valuable tools, sometimes it necessary to identify network devices in a passive manner. Pads was developed to sit along side the promiscuous interface of an IDS device. It will listen to network traffic and attempt to identify the applications running on the network.  

      Author's Notes:  

      By day I am an IDS analyst for a managed security provider. One of the challenges I face on a daily basis is the inability to obtain customer asset data, particularly with the larger customers. This information is critical not only for analysis but also device placement and tuning.

    Many IDS deployments consist of a device with two interfaces. One interface contains a promiscuous link to a remote network and the other link is for management and lives in the DMZ. This makes active network scanners, like nmap, useless because the IDS team does not have anything but a one way link into the network. They can only listen to traffic, not produce anything.

    Pads was developed to solve this problem. It is modeled after my favorite scanning tool nmap, specifically the .-sV. option. Unlike nmap, it will not generate any traffic while mapping the network. Unfortunately, this method is potentially less accurate than active scanning but is often necessary in an IDS environment.

    As mentioned earlier, I am an IDS analyst by day. I see programming as a tool to aid me in my job. This project was developed outside of work since I do not get paid to code. It was written to fulfill a need for me. Hopefully others within the community will also get the chance to benefit from it.

    		 

      Usage:  

      While running, Pads will generate a comma-separated file containing all the unique assets and services seen on the network. The following output was taken directly from the Pads program:  

      
    10.0.0.1,0,0,ARP,00:06:25:78:20:75,1092511120
10.0.0.81,0,0,ARP,00:50:da:5a:2d:ae,1092511122
10.0.0.225,0,0,ARP,00:06:25:12:57:0e,1092511125
10.0.0.1,0,1,ICMP,ICMP,1092511146
10.0.0.81,0,1,ICMP,ICMP,1092511149
10.0.0.83,0,1,ICMP,ICMP,1092511149
10.0.0.83,22,6,ssh,OpenSSH 3.8.1 (Protocol 2.0),1092511226
10.0.0.85,0,0,ARP,00:0c:29:ba:1e:02,1092511274
10.0.0.85,0,1,ICMP,ICMP,1092511274
10.0.0.83,0,0,ARP,08:00:20:a0:14:a5,1092511279
10.0.0.85,22,6,ssh,OpenSSH 3.5p1 (Protocol 1.99),1092511282
10.0.0.1,80,6,unknown,unknown,1092511345
10.0.0.225,80,6,www,Ubicom/1.1,1092511364
10.0.0.83,80,6,www,Apache 1.3.31 (Unix),1092511493
    		 

      A reporting module is included with Pads called pads-report. This program will take the raw comma-separated data and generate a more user-friendly report. The following report was processed from the comma-separated data above:  

      
    1 ------------------------------------------------------
IP:       10.0.0.1
MAC(s):   00:06:25:78:20:75  (2004/08/14 14:18:40)
ICMP:     Enabled

Port  Service    Application
80    unknown    unknown

2 ------------------------------------------------------
IP:       10.0.0.225
MAC(s):   00:06:25:12:57:0e  (2004/08/14 14:18:45)

Port  Service    Application
80    www	Ubicom/1.1

3 ------------------------------------------------------
IP:       10.0.0.81
DNS:      atlas.mynet.org
MAC(s):   00:50:da:5a:2d:ae  (2004/08/14 14:18:42)
ICMP:     Enabled

4 ------------------------------------------------------
IP:       10.0.0.83
MAC(s):   08:00:20:a0:14:a5  (2004/08/14 14:21:19)
ICMP:     Enabled

Port  Service    Application
22    ssh	OpenSSH 3.8.1 (Protocol 2.0)
80    www	Apache 1.3.31 (Unix)

5 ------------------------------------------------------
IP:       10.0.0.85
DNS:      ws01-05.mynet.org
MAC(s):   00:0c:29:ba:1e:02  (2004/08/14 14:21:14)
ICMP:     Enabled

Port  Service    Application
22    ssh	OpenSSH 3.5p1 (Protocol 1.99)