Thursday, February 02, 2006

PADS - Passive Rocks

Reading previous #snort-gui chat log that I have missed, I found that PADS will perhaps be integrated into sguil and I'm wondering what's PADS, after asking Richard about it, he shows me the PADS url as well as his blog that related to it here. PADS is Passive Asset Detection System and it is designed to complement IDS technology by providing context to IDS alert, another good thing about it is that it never generate any traffics but intercept and intepret it(passive). With the claim it seems worth to implementing this to IDS sensor. Since OpenBSD is always my main platform, I quickly download pads source tarball from it's provided link. There's pads-archiver as well which playing main role as archiving pads data to permanent storage to lighten pads job to avoid packet loss when processing. Atm is asset to MySQL which is used to create the databases for pads, you only need it if you want the data to be inset into MySQL database.

shell>cd /usr/local/src

shell>wget http://jaist.dl.sourceforge.net \
/sourceforge/passive/pads-1.2.tar.gz

shell>wget http://jaist.dl.sourceforge.net\
/sourceforge/passive/pads-archiver-1.2.tar.gz

shell>wget http://jaist.dl.sourceforge.net \
/sourceforge/passive/atm-111104.tar.gz

After finished downloading the source, installation is very straightforward, as usual I use stow to manage my software.

shell>tar xvzf pads-1.2.tar.gz

shell>cd pads-1.2

shell>./configure --prefix=/usr/local/stow/pads-1.2 \
--enable-banner-grab

shell>make && make install

shell>tar xvzf pads-archiver-1.2.tar.gz

shell>cd pads-archiver-1.2

shell>./configure --prefix=/usr/local/stow/pads-archiver-1.2 \
--enable-mysql --with-mysql-includes=/usr/local/include/mysql \ --with-mysql-libraries=/usr/local/lib/mysql

shell>make && make install

Stowing them

shell>cd /usr/local/stow

shell>stow pads-1.2 && stow pads-archiver-1.2

Now I have to create database for pads using atm ready script and create proper user to run pads.

shell>cd /usr/local/src

shell>tar xvzf atm-111104.tar.gz

shell>cd atm-111104

shell>mysql -u root -p -e "CREATE DATABASE pads"
Enter password:

shell>mysql -u root -p -D pads < ./pads.sql
Enter password:

shell>mysql -u root -p -D pads -e "show tables"
Enter password:
+----------------+
| Tables_in_pads |
+----------------+
| assets |
| protocol |
+----------------+

shell>mysql -u root -p
Enter password:

mysql> GRANT ALL PRIVILEGES ON pads.* TO pads@localhost IDENTIFIED BY "p4d5" WITH GRANT OPTION;
Query OK, 0 rows affected (0.02 sec)

mysql> update user set Password=OLD_PASSWORD("p4d5") where User="pads";
Query OK, 1 row affected (0.05 sec)
Rows matched: 1 Changed: 1 Warnings: 0

mysql>FLUSH PRIVILEGES;

Adding pads user so that we don't have to run pads as root

shell>groupadd -g 1234 pads

shell>useradd -u 1234 -g 1234 -md /home/pads -s /bin/ksh -c "PADS user" pads

shell>touch /var/run/pads.pid

shell>touch /var/run/pads-archiver.pid

shell>chown pads:pads /var/run/pads.pid

shell>chown pads:pads /var/run/pads-archiver.pid

I create and put all the pads configuration under /home/pads instead of /etc, I prefer it that way since those configuration owner is pads. There are two configuration files, each for pads and pads-archiver.

shell>su - pads

shell>cd ~

shell>touch pads.conf pads-archiver.conf

Here's the content of my pads.conf. I prefer to specify all the options in configuration file instead of typing it in command line. The network interface I use to run pads is pcn1.

# PADS Configuration
daemon 0
pid_file /var/run/pads.pid
sig_file /usr/local/stow/pads-1.2/etc/pads-signature-list
mac_file /usr/local/stow/pads-1.2/etc/pads-ether-codes
user pads
group pads
interface pcn1
# filter
network 192.168.0.0/24
output screen
# output csv: /home/pads/pads.csv
output fifo: /home/pads/pads_fifo

This is my pads-archiver.conf

# Pads-Archiver Configuration
daemon 0
pid_file /var/run/pads-archiver.pid
user pads
group pads
input fifo: /home/pads/pads_fifo
output mysql:127.0.0.1,pads,pads,p4d5,0

You can has different types of output result and by default it is csv format which is comma separated for different data field. However I used fifo since it's not writing to disks and directly archived to MySQL database using pads-archiver which is much more faster. Now I just need to run pads and pads-archiver as root.

shell>pads -c /home/pads/pads.conf
pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton

[-] Filter: (null)
[-] Listening on interface pcn1

[*] Asset Found: IP Address - 192.168.0.23 / MAC Address - 0:0A:E4:35:EA:8E (Wistron Corp.)
[*] Asset Found: IP Address - 192.168.0.181 / MAC Address - 0:0C:29:76:61:85
[*] Asset Found: Port - 0 / Host - 192.168.0.181 / Service - ICMP / Application - ICMP
[*] Asset Found: IP Address - 192.168.0.180 / MAC Address - 0:0C:29:76:61:7B

shell>pads-archiver -c /home/pads/pads-archiver.conf
pads-archiver - Archive PADS data into permanent storage.
v1.2 - 06/17/05
Matt Shelton

[v] config - Processing '/home/pads/pads-archiver.conf'.
[v] config - PARAM: |daemon| / VALUE: |0|
[v] config - PARAM: |pid_file| / VALUE: |/var/run/pads-archiver.pid|
[v] config - PARAM: |user| / VALUE: |pads|
[v] config - PARAM: |group| / VALUE: |pads|
[v] Initializing FIFO input processor.
[v] config - PARAM: |input| / VALUE: |fifo: /home/pads/pads_fifo|
[v] Initializing MYSQL output processor.
[v] MySQL Arguments: Host - 127.0.0.1 / DB - pads / User - pads / Pass - p4d5 /
[v] config - PARAM: |output| / VALUE: |mysql:127.0.0.1,pads,pads,p4d5,0|
[v] Dropping Privileges
[-] Processing FIFO File: /home/pads/pads_fifo
[v] SQL: INSERT INTO arpasset VALUES (NULL, '192.168.0.180', '0:0C:29:76:61:7B'
query error
[v] SQL: INSERT INTO asset VALUES (NULL, '192.168.0.181', 0, 1, 'ICMP', 'ICMP', 1138874261)
[v] SQL: INSERT INTO arpasset VALUES (NULL, '192.168.0.23', '0:0A:E4:35:EA:8E', '', 1138874273)
query error

You may see the query error, this is due to there's no database table called arpasset for it to insert the data and it's not created through atm, I think atm is a bit outdated. In case you are storing the asset data in csv format, you can import it to MySQL db using the perl script - atm.pl. Just run it against the pad.csv file.

shell>perl ./atm.pl --f /home/pads/pads.csv -u pads -p p4d5

PADS is really cool, I can just use it to profile and identify all the hosts in the network without tampering or connecting to any machine purposely. Pads has delivered the tool to archive the data, I do wish it comes with it's own complete sql script so that I can import it's default DB instead of creating my own especially for arpasset. Another reason I like about pads would be it can run against pcap file so this would really help especially when you just need to profile your machines in the network without running pads on the fly.

Peace and Cheers (:])
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)