Man Linux: Main Page and Category List

NAME

       pads - Passive Asset Detection System

SYNOPSIS

       pads  <DhUvV>  <-c  file  >  <-d file > <-g group > <-i interface > <-n
       network(s) > <-p file > <-r file > <-u file > <-w file > <expression>

DESCRIPTION

       PADS is a libpcap based  detection  engine  used  to  passively  detect
       network  assets.   It  is  designed  to  complement  IDS  technology by
       providing context to IDS alerts.

       Goals:

       - Passive:  Records and identifies traffic seen on a network without
         actively "scanning" a system.   There will never  be  a  packet  sent
       from
         the pads application.

       - Portable:  Has the ability to be placed easily on a remote system.
         Does not require additional external libraries other than those
         associated with libpcap.

       - Lightweight:  Logging is sent to a simple CSV file.  There is no need
         for a database or other data repository installed on the local
         machine.  All correlation is done outside of the pads program.

OPTIONS

       -h     Display help / usage information.

       -D     Run PADS in the background (daemon mode).

       -d file
              Dump banner data into a libpcap formatted  file.   This  feature
              will  dump  the  matched  packet  or  the  first 4 packets of an
              unmatched connection into a specified file.  This can be used to
              further   identify   a  service  and  also  aid  with  signature
              development.

              Please keep in mind that this feature must be compiled into  the
              application in order to use it.  This can be done by adding

       -g group
              This switch allows you to specify a group that PADS will drop to
              after the libpcap interface has been initialized.

       -h     Display help

       -i interface
              Specify an interface to be used.

       -n network list
              Specify a set of networks to be  monitored.   Only  assets  that
              exist  within  these  networks  will  be recorded.  The networks
              should    be    specified    in    the     following     format:
              10.10.10.0/24,192.168.0.0/16 .

       -p pid file
              This  switch  allows  you  to  specify  a PID file to be used in
              conjunction with daemon (-D) mode.

       -r file
              Read packets from a libpcap formatted file.

       -u user
              This switch allows you to specify a user that PADS will drop  to
              after the libpcap interface has been initialized.

       -w file
              Dump data into a file other than assets.csv.

        expression
              selects which packets will be processed.  Please see  tcpdump(1)
              for details on the libpcap primitives.

SEE ALSO

       pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)

COPYRIGHT

       Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>

BUGS

       Please send bug reports to the author.

AUTHORS

       Matt Shelton <matt@mattshelton.com>

                                  2005/06/17