08 March, 2008

Testing PADS

Before putting PADS into production in a new environment, here is how I tested it.

First, I installed the version needed for integration with Sguil by applying the pads.patch. Note that there is also a PADS VLAN patch. The patching and installing is described in the NSMWiki, but I didn't need to change LDFLAGS or CFLAGS for my installation.

$ patch -p0 < ../patches/pads.patch
$ ./configure 
$ make 
$ sudo make install
Now I can test it.
# pads -i bridge0 -n 192.168.1.0/24
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton 

[-] Processing Existing assets.csv
[-] WARNING:  pcap_lookupnet (bridge0: no IPv4 address assigned)
[-] Filter:  (null)
[-] Listening on interface bridge0

[*] Asset Found:  Port - 80 / Host - 192.168.1.3 / Service - www / Application - Apache 2.2.8 (Unix)
[*] Asset Found:  Port - 25 / Host - 192.168.1.3 / Service - smtp / Application - Generic SMTP - Possible Postfix (localhost.localdomain)
Now I try without defining a network.
# pads -i bridge0 -c /usr/local/etc/pads.conf
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton 

[-] WARNING:  pcap_lookupnet (bridge0: no IPv4 address assigned)
[-] Filter:  (null)
[-] Listening on interface bridge0

[*] Asset Found:  Port - 80 / Host - 64.233.179.191 / Service - www / Application - GFE/1.3
The Google IP address pops up while I'm logged in and editing this post. When you run PADS, you don't want to monitor all traffic or you'll be detecting services on systems outside your network.

Once I began testing PADS, I realized that I needed to add some signatures because I had some unknown services. This signature that comes with PADS was the one that detected the SMTP from the first test.
smtp,v/Generic SMTP - Possible Postfix//$1/,220 ([-.\w]+) ESMTP\r\n
PADS uses PCRE to test matches.. In this signature, the match inside the () is the host and domain name, and gets printed by using $1. If there was a second match in parentheses, it could be printed with $2. The whole signature is everything after the second comma.

I've already played around with adding or modifying some signatures and I'll probably post those once I get done testing in some different environments. There is an option to dump banner data to a pcap file that is useful to help write new signatures.
pads -i bridge0 -c /usr/local/etc/pads.conf -d bannerdump.pcap

Posted by Nathaniel Richmond at 21:43

Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)