| Author | Kacper Wysocki |
| Contact | |
| Date | March 23, 2011 |
Passive
Realtime
Asset
Detection
System
The whys
The hows
Getting it
Using it
Advanced topics
leaks on the wire
todays tools cool, tomorrow better
big business and spooks
the little guy
for sysadmins!
in-memory asset db
connection tracking
extendable signatures
MAC TCP UDP ICMP and services
output plugins
PoC in Perl
gigabit(!) in C
deps on pcap, pcre
single thread
+-------+
| |<-----{config
| prads |<-----{arguments
| |<-----{signatures
+-------+
| (init, drop privs, chroot, daemonize..)
V
+---------
| packet |--> (source:port destination:port)-->[connection]-->{output
+--------- ^
| |
v |
+-------+ v
|dissect|<--> (vlan eth arp ip tcp udp) ---> [packet info]
+-------+ /
| _____________________________________/
v / ______________
+-------- / /__standard out
| asset |/ /__file
+-------+----------------------->{output plugins/_fifo
| \ \__graphviz(?)
v \ \__your plugin here
+--+ +----------+ \_______________-k
|os| | services |
+--+ ------------autodiscover hosts
feed monitoring soln
mapping tools
feed security tools
anomalies
nmap-like scripting
(m)DNS, DHCP, routing protos
trust relations
phase plane analysis
lookup vuln data
http://github.com/gamelinux/prads/downloads
Debian + Ubuntu
tested on squeeze and lucid
The rest: source
Contrib packaging accepted!
apt-get install libpcre3 libpcap dpkg -i prads_0.2.3-1_amd64.deb
Repository? Working on it!
defaults OK
me@mine:~$ prads -h
features, bugs and usability
contributions welcome!
=> http://github.com/gamelinux/prads
kacper.blog.linpro.no
u.rdir.it
6BD0 3F9C 5F77 AD24 F60A 86EC FD82 7E34 674A 506F
Thanks!