pads(8)
Passive Asset Detection System
Description
PADS
NAME
pads - Passive Asset Detection System
SYNOPSIS
pads <DhUvV> <-c file > <-d file > <-g group > <-i interface > <-n network(s) > <-p file > <-r file > <-u file > <-w file > <expression>
DESCRIPTION
PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.
Goals:
- Passive:
Records and identifies traffic seen on a network without
actively "scanning" a system. There will never be
a packet sent from
the pads application.
- Portable: Has
the ability to be placed easily on a remote system.
Does not require additional external libraries other than
those
associated with libpcap.
- Lightweight:
Logging is sent to a simple CSV file. There is no need
for a database or other data repository installed on the
local
machine. All correlation is done outside of the pads
program.
OPTIONS
|
-h |
Display help / usage information. | |
|
-D |
Run PADS in the background (daemon mode). | |
|
-d file |
Dump banner data into a libpcap formatted file. This feature will dump the matched packet or the first 4 packets of an unmatched connection into a specified file. This can be used to further identify a service and also aid with signature development. |
Please keep in mind that this feature must be compiled into the application in order to use it. This can be done by adding ´--enable-banner-grab’ to the ’configure’ step.
-g group
This switch allows you to specify a group that PADS will drop to after the libpcap interface has been initialized.
|
-h |
Display help |
-i interface
Specify an interface to be used.
-n network list
Specify a set of networks to be monitored. Only assets that exist within these networks will be recorded. The networks should be specified in the following format: 10.10.10.0/24,192.168.0.0/16 .
-p pid file
This switch allows you to specify a PID file to be used in conjunction with daemon (-D) mode.
|
-r file |
Read packets from a libpcap formatted file. | |
|
-u user |
This switch allows you to specify a user that PADS will drop to after the libpcap interface has been initialized. | |
|
-w file |
Dump data into a file other than assets.csv. |
expression
selects which packets will be processed. Please see tcpdump(1) for details on the libpcap primitives.
SEE ALSO
pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)
COPYRIGHT
Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>
BUGS
Please send bug reports to the author.
AUTHORS
Matt Shelton <matt@mattshelton.com>
See Also
- pads.conf(8)
- pads-report(8)
- pads-archiver(8)
- tcpdump(8)
- pcre(3)