descriptionPRADS is a Passive Real-time Asset Detection System. It passively listen to network traffic and gathers information on hosts and services it sees on the network.
homepage URLhttp://gamelinux.github.com/prads/
repository URLhttps://github.com/gamelinux/prads.git
ownercomotion@krutt.og
last changeTue, 28 May 2024 06:38:01 +0000 (28 08:38 +0200)
last refreshThu, 21 Nov 2024 09:04:19 +0000 (21 10:04 +0100)
content tags
add:
readme
#### PRADS README
#  ______
# |  __  |                  __
# | _____|.----..------..--|  |.-----. (tm)
# |  |    |  |-'|  __  ||  _  |__  --'
# |__|    |__|  |____|_||_____|______| 
#
# Passive Real-time Asset Detection system! 
#

# Baut'
Is a `Passive Real-time Asset Detection System`. It passively listen to network traffic and gathers information on hosts and services it sees on the network. This information can be used to map your network, letting you know what services and hosts are active, and can be used together with your favorite IDS/IPS setup for "event to application" correlation.

# As is!
This program is served 'as is'. We take no responsabuility for anything :)

# Lic
GPL v2 or better? See LICENSE

# Install
See INSTALL

# USE
There are several ways to use PRADS.
PRADS has many commandline options, see the prads(1) man page.

# Example
  prads -i eth0 -l prads.log

If you run the prads service, the assets it sees will be dumped into /var/log/prads.log and look like this:

10.43.2.181,0,54354,6,SYN,[65535:64:1:64:M1460,N,W2,N,N,T,S,E,E:P:MacOS:iPhone OS 3.1.3 (UC):link:ethernet/modem:uptime:1574hrs],0,1300882012
10.43.2.181,0,0,0,ARP (Apple),C8:BC:C8:48:65:CA,0,1300882017

This information can be further processed, inserted into an SQL database etc.

the general format fo this data is:
asset,vlan,port,proto,service,[service-info],distance,discovered

asset       = The ip address of the asset.
vlan        = The virtual lan tag of the asset.
port        = The port number of the detected service.
proto       = The protocol number of the matching fingerprint.
service     = The "Service" detected, like: TCP-SERVICE, UDP-SERVICE, SYN, SYNACK,MAC,.....
service-info= The fingerprint that the match was done on, with info.
distance    = Distance based on guessed initial TTL (service = SYN/SYNACK)
discovered  = The timestamp when the data was collected

May it sniff your network for a while and you will be able to do anomaly detection.

# SNORT (snort.org)
The prads2snort script may be used to convert the prads log into a hosts_attribute.xml file that can be used by snort to decide fragmentation policies, for better event detection. 
 http://snort.org/docs/snort_manual/node189.html

# Sguil (sguil.net)
You can feed events from PRADS straight into sguil replacing pads by using the sguil pads agent. PRADS supports the -f fifo argument and the 'fifo: /path/to/fifo' configuration option to feed events into a FIFO.

# SQL database, WebGUI etc.
This is on the agenda. There will be a webgui to the database, for easy browsing of your network. 
shortlog
2024-05-28 Edward FjellskålMerge pull request #56 from wuruilong01/mastermaster
2024-03-30 wuruilongAdd support for loongarch56/head
2020-09-19 Edward FjellslMerge pull request #55 from ssm/feature/gcc10-support
2020-09-19 Stig Sandbeck... Build on GCC 1055/head
2019-12-11 Edward FjellskålMerge pull request #51 from jmariondev/readme
2018-07-21 John MarionReformat README to use Markdown51/head
2017-03-18 Edward FjellskålMerge pull request #46 from guidohu/master
2017-03-16 Edward FjellskålMerge pull request #47 from johnlinp/master
2017-03-16 John LinFix typo47/head
2015-11-01 guido.hFix segmentation fault for fragmented GRE packet46/head
2015-10-11 Kacper WhyMerge pull request #45 from atrent/master
2015-10-06 Andrea Trentini1.0 uses original separator, no need to change prads45/head
2015-10-06 Andrea Trentinigraph ratio
2015-10-06 Andrea Trentinicli parameters
2015-10-04 atrentCreate prads2dot.sh
2015-09-29 Kacper Wysockiexperiment with no delim for tcp options, for #43
...
tags
10 years ago debian/0.3.3-1 tagging package prads version debia...
10 years ago debian/0.3.0-1 Release 0.3.0-1 for Debian
10 years ago 0.3.3 0.3.3: loud lemur
12 years ago 0.3.2-rc1 0.3.2-rc2: ya skipped dat one
12 years ago 0.3.1-rc1 0.3.1-rc1: shut your pie
13 years ago upstream/0.3.0 Upstream release 0.3.0
13 years ago 0.3.0 0.3.0: all good things are three
13 years ago upstream/0.3.0_rc3 Upstream release candidate 0.3...
13 years ago debian/0.3.0_rc3-1 Debian release 0.3.0~rc3-1
13 years ago 0.3.0-rc3 0.3.0-rc3: nothing good comes to...
13 years ago upstream/0.3.0_rc2 0.3.0-rc2: are we there yet?
13 years ago 0.3.0-rc2 0.3.0-rc2: are we there yet?
13 years ago 0.3.0-rc1 0.3.0-rc1: real chaos one
13 years ago debian/0.2.6-1 Debian release 0.2.6-1
13 years ago 0.2.6 0.2.6: dev will make rye
13 years ago 0.2.5 0.2.5: mori moment
...
heads
5 months ago master
4 years ago debian
13 years ago stable
13 years ago passivedns
13 years ago feature/pidfile
13 years ago etch
14 years ago jaunty
14 years ago lenny
15 years ago gh-pages
15 years ago 19f72fa66ffc0ba33f00ba5e5897e109f822e939
15 years ago net-packet-array
15 years ago array-obj