Saturday, May 20, 2006

PADS Signature Writing

Since PADS lacking of signatures, it is not efficient enough to do services profiling, so I think adding signatures to it might be good since it is now integrated to Sguil. After navigating the PADS signature file with my slightly understanding of PCRE, I start working on it, the services signature looks similar to nmap services probe sig, I decide to use nmap -sV to generate the traffic and grabbing the banner for sig writing.

In my case, I copy all the PADS config files to /etc/sguils. The main configuration for PADS is pads.conf, I renamed it to pads-test.conf, here's my config -

# Pads Configuration - pads-test.conf

daemon 0
pid_file /var/run/
sig_file /etc/sguils/pads-signature-list
mac_file /etc/sguils/pads-ether-codes
user pads
group pads
interface pcn0
output screen

You may see I choose to output it to screen, that is useful when you are experimenting with the new signatures writing as well as testing. The signatures file for PADS are pads-signature-list and pads-ether-codes, pads-ether-codes only storing the info of vendor's code that map to the first 24 bits of MAC address, pad-signature-list is the heart of PADS where it stores all the services signatures.

After tinkering with it, I had these two signatures written and adding it to pads-signature-list. One for X11 and another for ssh.

ssh,v/OpenSSH/$2/Protocol $1/,SSH-([.\d]+)-OpenSSH[_-]([\S]+)[\s]+[\n]

x11,v/Xorg//Access Denied/,^\0\x16\x0b...\x06.No\x20protocol\x20specified\x0a\x04\x3c

I rerun PADS again this time, instead of getting unknown applications, now I seem to get the result I wanted.

shell>pads -c pads-test.conf

pads - Passive Asset Detection System
v1.2 - 06/17/05
Matt Shelton

[-] Filter: (null)
[-] Listening on interface pcn0

[*] Asset Found: Port - 22 / Host - / Service - ssh / Application - OpenSSH 4.3 (Protocol 1.99)
[*] Asset Found: Port - 6000 / Host - / Service - x11 / Application - Xorg (Access Denied)

[-] 1107 Packets Received
[-] 0 Packets Dropped by Software
[-] -2116931312 Packets Dropped by Interface

The services are recognized after I have added the signatures, however there's one thing I found weird, if you look at the last line - 2116931312 Packets Dropped by Interface, I'm not sured why it shows this negative amounts of packets which is huge. Anyone have experienced and figured out why, please comment!

By the way, this is about PADS Sig writing, I will add more sigs once I have time which I have done the same thing to tcpxtract. By the way I learn a few PCRE tricks when writing the signatures.

Cheers (:])

1 comment:

Anonymous said...

Nice job. I doing the same stuff, but enterprise application oriented, like oracles and friends. As soon as I stable the fingerprints I will release them