Monday, October 08, 2007

PADS: The Future

As PADS is now integrated to Sguil, I would assume the usage of it might be increasing. PADS is known to passively identify the network assets running on your network and further assisting in network assets profiling. However the main developer(Matt Shelton) of PADS is no longer actively maintaining it. Together with David Bianco, we have taken the initiative to maintain the PADS but this is more to NSM community efforts instead of doing it solely. If you are using PADS, feel free to do the following -

- bug report

- send us patches

- test our patches

- contribute PADS signatures

Matt Shelton has delegated us the admin access to PADS source tree, however we will take careful step to further testing all the patches and signatures before committing to it.

Cheers ;]

4 comments:

Anonymous said...

the problem with pads is that it when pads db is big, CPU goes 100% usage, because of ineffective way of checking new banner against logged ones...

Ish said...

I haven't looked into the PADS source code much, but perhaps something like SQLite could be used here.

geek00l said...

Hi anonymous,

I haven't really have very big pads signatures db and if you have one, I would like to have you contributed the signatures ;)

By the way, I think PADS is used to gather all the necessary network assets in the networks in the intelligence gathering phase and after you have all the network assets identified, just bump in the necessary signatures will do instead of loading everything into it, the unknown services can be monitored later if there's any.

We will see what we can do with PADS, as all of us are not paying full time to do this.

Hi Ish,

It supports mysql and if anyone would like to add more db supprt for PADS, it is always welcomed, however I think now its best to use with sguil unless you want to run it in standalone mode.

Thanks ;)

Ish said...

When I suggested SQLite I was referring to the signature database, not output.

If a large DB does use a lot of CPU, its probably just an inneficient signature search. SQLite may not be better, but there probably are better ways that what is currently in there.

But I should look at the code before commenting.