I just did a git clone and ran as follows:

sudo ./prads -L test/

It created the following file in the test/ directory:

stats.pcap.1354709596

After a minute or two, prads terminated with the following error:

[*] ERROR: Cant open file test/stats.pcap.1354709657

Any ideas?

Thanks!

we wanted debian packaging

Now that p0f3 has been out for a couple of years, I wonder if anyone is interested in making use of it in PRADS. I mean, the signatures are different, so you can't just replace p0f2 with p0f3. And you also would not like dropping the old sigs because the new ones do not really include old systems (as far as I can tell).

So, maybe using p0f3 by itself as another module in PRADS could be an option. The other way to go is to start picking features/methods used by p0f3 and adding them to PRADS.

Thoughts, anyone?

pidfile logic today relies on flock which sucks. pidfile logic today might still be racy.

better: use abstract socket @prads.$iface if available, otherwise
touch /path/to/pids/prads.$iface.$PID
foreach pidfile in /path/to/pids/prads.$iface.$pid
if kill -0 $pid
exit "prads -i $iface already running on $pid"
else
rm $pidfile
fi

worst case we do not start up when two prads are racing the above code

two prads instances writing to same log file could be racy too. flock/fifo/shmem?

Semi-related to #34.

After specifying "-u doug -g doug", I noticed the following in the -L output directory:

-rw-r--r--  1 root root    0 Dec 13 13:24 stats.pcap.1355423043
-rw-r--r--  1 doug doug 4.0K Dec 13 13:25 stats.pcap.1355423104

So it looks like prads opens the first output file, then drops privs, which means that the standard user can't write to the root-owned file.

Perhaps prads should drop privs before opening the file?

Thanks!

I'm trying to use PRADS as a replacment for sancp in my Security Onion distro. I'm using 0.3.1-rc1 from github and am running as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

The -L option is supposed to create output that is compatible with Sguil's sancp_agent, but it
looks like PRADS isn't outputting the correct format that sancp_agent
is expecting.

For example, here's output from SANCP that gets
processed correctly by sancp_agent:
5791721969401954318|2012-09-24 12:39:14|2012-09-24
12:41:18|124|6|3232292534|54422|3088986000|80|26|10416|19|2835|27|27

Looking at PRADS output, it appears to be giving the human-readable IP
address instead of the int version as shown above that sancp_agent is
expecting.

Any help would be appreciated!

Thanks,
Doug

Be able to configure $home_nets in the config file (the same as -a in cmdline option).

there is a rumor about that RPM packages have been sighted for a sister project

it's put into /etc/prads/init.d/prads.rc,
while it could totally be installed into /etc/init.d/prads

prads needs build quality tests

this means we should ship with some test pcaps

start with something simple:
run prads with a pcap, check that log contains reasonable stuff

a testsuite - or "unit tests" if you will, don't need to be more complicated than

• a pcap
• runtime arguments / configuration file
• a test script which defines expected loglines & outcome

I'm trying to use PRADS as a replacment for pads in my Security Onion distro. I'm using 0.3.1-rc1 from github and am running as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

When I look at PADS events in Sguil and select "Display Detected
Banner", it's always "PRADS CLIENT" or "PRADS SERVER", whereas PADS gives me the actual detected banner like "Apache 1.2.3.4..."

Any help would be appreciated!

Thanks,
Doug

Putting assets in shared memory will make it fast and easy to eat these assets in other programs without touching disk. Firstly we'll do shared memory output. Then perchance a lockless shmem asset structure.

void prepare_ip4ip (packetinfo *pi)
{
packetinfo pipi;
memset(&pipi, 0, sizeof(packetinfo));
config.pr_s.ip4ip_recv++;
pipi.pheader = pi->pheader;
pipi.packet = (pi->packet + pi->eth_hlen + (IP_HL(pi->ip4) * 4));
pipi.end_ptr = pi->end_ptr;
if (pi->ip4->ip_p == IP_PROTO_IP4) {
prepare_ip4(&pipi);
parse_ip4(&pipi);
return;
} else {
prepare_ip6(&pipi);
parse_ip6(&pipi);
return;
}
}

In prepare_ip4(&pipi) function，pi->ip4 = (ip4_header *) (pi->packet + pi->eth_hlen) ，why add pi->eth_hlen？pi->packet is IP4 message.

Hello, how can I measure the throughput of prads? Can prads benefits from a multi-core CPU? Thank you!

Hi,

During a rebuild of all Debian packages in a clean sid chroot (using cowbuilder
and pbuilder) the build failed with the following error. Please note that we
use our research compiler tool-chain (using tools from the cbmc package), which
permits extended reporting on type inconsistencies at link time.

[...]
cc -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -O3 -DRELEASE='""' -DCONFDIR='"/etc/prads/"' -D__USE_GNU -o prads bstrlib.o sig_tcp.o config.o sys_func.o assets.o prads.o dhcp.o dump_dns.o mac.o servicefp/servicefp.o servicefp/tcpc.o servicefp/tcps.o servicefp/udps.o ipfp/ipfp.o ipfp/udp_fp.o ipfp/icmp_fp.o cxt.o output-plugins/log_dispatch.o output-plugins/log_stdout.o output-plugins/log_file.o output-plugins/log_fifo.o output-plugins/log_ringbuffer.o output-plugins/log_sguil.o -Wl,-z,relro -lpcap -lpcre -lresolv

error: conflicting function declarations "lookup_link"
old definition in module sig_tcp file sig_tcp.c line 934
char * (unsigned short int mss, char txt)
new definition in module log_stdout file output-plugins/../sig.h line 52
unsigned char * (unsigned short int, unsigned char)

Note the difference on the second parameter; this should be cleaned up to ensure the compiler can generate appropriate diagnostics. Indeed the code should be safe at present as it seems only the constants 0 or 1 are being passed in.

Best,
Michael

$ sudo ./prads -u jallal
...
...
[*] Dropping privs...
Segmentation fault

gdb shows me:
Program received signal SIGSEGV, Segmentation fault.
0x000000000040eb0f in drop_privs () at sys_func.c:245
245 userid = pw->pw_uid;
(gdb) bt full
#0 0x000000000040eb0f in drop_privs () at sys_func.c:245

    gr = 0x7ffff7661fbd
    pw = 0x0
    endptr = 0x0
    i = 0
    do_setuid = 1
    do_setgid = 1
    groupid = 0
    userid = 0
    __PRETTY_FUNCTION__ = "drop_privs"

#1 0x0000000000416af8 in main (argc=3, argv=0x7fffffffe758) at prads.c:1211

    ch = -1
    pconfile = 0x6b00e0
    __PRETTY_FUNCTION__ = "main"

would be cool to change config dynamically:
either have a command interface or SIGHUP

If you use different startup options for prads, some appears when it is used with sguil. For example:

a) With these startup options, no events are registered in sguil server: "prads -c /data/config/etc/snort/prads.conf -f /nsm/sguil_sensor/ubuids01/prads/prads.fifo -UTtI -XFRMSAK -a 172.25.50.0/27 -i eth4 -Z"

b) With these startup options, events are registered in sguil server: "prads -c /data/config/etc/snort/prads.conf -f /nsm/sguil_sensor/ubuids01/prads/prads.fifo -i eth4"

prads.conf content:
daemon=1
asset_log=/nsm/sguil_sensor/ubuids01/prads/prads.log
pid_file=/var/run/prads.pid

I don't think that a full GUI is needed for prads, there are other "similar" programs with a complete GUI (e.g. etherape), maybe a way to generate a dot graph file would be useful. Similarly to the tinc (http://www.tinc-vpn.org/) graph generator. Something to group services on a per-node basis.

As a part of digging into Issue #30, I found some other places in the code that had inconsistent use of ntohs:

grep -ri "ip4->ip_len" *
src/sig_tcp.c:            opt_ptr = (uint8_t *) pi->ip4 + ntohs(pi->ip4->ip_len); // fixed from htons
src/sig_tcp.c:            e.size = (ftype == TF_ACK) ? 0 : ntohs(pi->ip4->ip_len);
src/prads.c:    pi->packet_bytes = (ntohs(pi->ip4->ip_len) - (IP_HL(pi->ip4) * 4));
src/ipfp/udp_fp.c:    opt_ptr = (uint8_t *) ip4 + htons(ip4->ip_len);
src/ipfp/udp_fp.c:    gen_fp_udp(ntohs(ip4->ip_len - udph->len), udata, ip4->ip_ttl,
src/ipfp/udp_fp.c:               (ntohs(ip4->ip_off) & IP_DF) != 0, olen, ntohs(ip4->ip_len),
src/ipfp/icmp_fp.c:    opt_ptr = (uint8_t *) ip4 + htons(ip4->ip_len);
src/ipfp/icmp_fp.c:                ntohs(ip4->ip_len), idata, ip4->ip_off, ip4->ip_tos,
src/ipfp/icmp_fp.c:                     ntohs(ip4->ip_len),idata,ip4->ip_off,ip4->ip_tos,quirks, ip_src, AF_INET);

grep -ri "ip6->len" *
src/sig_tcp.c:            opt_ptr = (uint8_t *) pi->ip6 + IP6_HEADER_LEN + ntohs(pi->ip6->len); //*
src/sig_tcp.c:            e.size = (ftype == TF_ACK) ? 0 : ntohs(pi->ip6->len);
src/sig_tcp.c:printf("hop:%u, len:%u, ver:%u, class:%u, label:%u|mss:%u, win:%u\n",ip6->hop_lmt,open_mode ? 0 : ntohs(ip6->len),
src/prads.c:    pi->packet_bytes = pi->ip6->len;
src/ipfp/icmp_fp.c:    opt_ptr = (uint8_t *) ip6 + htons(ip6->len);
src/ipfp/icmp_fp.c:    if ((uint8_t *) opt_ptr + ip6->len < end_ptr) {
src/ipfp/icmp_fp.c:        //payload = opt_ptr + ip6->len;
src/ipfp/icmp_fp.c:                                               ntohs(ip6->len),IP6_V(ip6),IP6_TC(ip6),

So do these need to be fixed as well?

src/ipfp/icmp_fp.c:    opt_ptr = (uint8_t *) ip4 + htons(ip4->ip_len);
src/ipfp/icmp_fp.c:    opt_ptr = (uint8_t *) ip6 + htons(ip6->len);
src/ipfp/icmp_fp.c:    if ((uint8_t *) opt_ptr + ip6->len < end_ptr) {
src/ipfp/icmp_fp.c:        //payload = opt_ptr + ip6->len;
src/ipfp/udp_fp.c:    opt_ptr = (uint8_t *) ip4 + htons(ip4->ip_len);
src/prads.c:    pi->packet_bytes = pi->ip6->len;

Thoughts?

Thanks!

Hi everyone, I've tried to compile PRADS under a Cygwin environment for some tests using a Windows machine, but I've got this error:

$ make
You need libpcre-dev and libpcap-dev to compile this program.
make CONFDIR=/usr/local/etc/prads -C src/
make[1]: entering in the folder "/home/Giacomo/prads/src"
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o bstrlib.o bstrlib.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o sig_tcp.o sig_tcp.c
sig_tcp.c: In function ‘grab_name’:
sig_tcp.c:918:17: warning: assignment discards ‘const’ qualifier from pointer target type [-Wdiscarded-qualifiers]
if (!r || !(s = r->h_name) || !(j = strlen(s))) return "";
^
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o config.o config.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o sys_func.o sys_func.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o assets.o assets.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o prads.o prads.c
prads.c:55:12: warning: ‘optind’ redeclared without dllimport attribute: previous dllimport ignored [-Wattributes]
extern int optind, opterr, optopt; // getopt()
^~~~~~
prads.c:55:20: warning: ‘opterr’ redeclared without dllimport attribute: previous dllimport ignored [-Wattributes]
extern int optind, opterr, optopt; // getopt()
^~~~~~
prads.c:55:28: warning: ‘optopt’ redeclared without dllimport attribute: previous dllimport ignored [-Wattributes]
extern int optind, opterr, optopt; // getopt()
^~~~~~
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o dhcp.o dhcp.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o dump_dns.o dump_dns.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o mac.o mac.c
mac.c: In function ‘arp_check’:
mac.c:335:6: warning: type of ‘eth_hdr’ defaults to ‘int’ [-Wimplicit-int]
void arp_check(eth_hdr, tstamp)
^~~~~~~~~
mac.c:335:6: warning: type of ‘tstamp’ defaults to ‘int’ [-Wimplicit-int]
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o servicefp/servicefp.o servicefp/servicefp.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o servicefp/tcpc.o servicefp/tcpc.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o servicefp/tcps.o servicefp/tcps.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o servicefp/udps.o servicefp/udps.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o ipfp/ipfp.o ipfp/ipfp.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o ipfp/udp_fp.o ipfp/udp_fp.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o ipfp/icmp_fp.o ipfp/icmp_fp.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o cxt.o cxt.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_dispatch.o output-plugins/log_dispatch.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_stdout.o output-plugins/log_stdout.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_file.o output-plugins/log_file.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_fifo.o output-plugins/log_fifo.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_ringbuffer.o output-plugins/log_ringbuffer.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -c -o output-plugins/log_sguil.o output-plugins/log_sguil.c
cc -O3 -DRELEASE='"-20-g407cf7c"' -DCONFDIR='"/usr/local/etc/prads/"' -D__USE_GNU -o prads bstrlib.o sig_tcp.o config.o sys_func.o assets.o prads.o dhcp.o dump_dns.o mac.o servicefp/servicefp.o servicefp/tcpc.o servicefp/tcps.o servicefp/udps.o ipfp/ipfp.o ipfp/udp_fp.o ipfp/icmp_fp.o cxt.o output-plugins/log_dispatch.o output-plugins/log_stdout.o output-plugins/log_file.o output-plugins/log_fifo.o output-plugins/log_ringbuffer.o output-plugins/log_sguil.o -lpcap -lpcre -lresolv
** dump_dns.o:dump_dns.c:(.text+0xa8): undefined reference to "__ns_parserr"
dump_dns.o:dump_dns.c:(.text+0xed): undefined reference to "__p_type"
dump_dns.o:dump_dns.c:(.text+0xf9): undefined reference to "__p_class"
dump_dns.o:dump_dns.c:(.text+0x1c2): undefined reference to "__ns_name_uncompress"
dump_dns.o:dump_dns.c:(.text+0x225): undefined reference to "__ns_name_uncompress"
dump_dns.o:dump_dns.c:(.text+0x27a): undefined reference to "__ns_name_uncompress"
dump_dns.o:dump_dns.c:(.text+0x42a): undefined reference to "__ns_initparse"
dump_dns.o:dump_dns.c:(.text+0x49e): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x50c): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x519): undefined reference to "__p_rcode"
dump_dns.o:dump_dns.c:(.text+0x524): undefined reference to "_res_opcodes"
dump_dns.o:dump_dns.c:(.text+0x5ad): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x621): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x695): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x709): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x77d): undefined reference to "__ns_msg_getflag"
dump_dns.o:dump_dns.c:(.text+0x7f1): more undefined references to "__ns_msg_getflag" follow
collect2: error: ld returned 1 exit status
make[1]: *** [Makefile:100: prads] Error 1 **
make[1]: exit from the folder "/home/Giacomo/prads/src"
make: *** [Makefile:15: build] Error 2

I've used the NPcap files with a symbolic link to the proper name as libpcap substitute.
I've also modified the src/Makefile to point to the proper lib location:

for finding static libraries

#LIBDIR=/usr/lib/x86_64-linux-gnu
LIBDIR=/usr/lib

But still don't work.
Do you have any ideas for fixing it?

Hello PRADS developers!

I'm running prads as follows:
prads -i eth1 -c prads.conf -u sguil -g sguil -L /nsm/sensor_data/dir/sancp/ -f /nsm/sensor_data/dir/pads.fifo

When I look at pads events in Sguil, they have the wrong timestamp.

For example, I have a pads event for a new web client with a timestamp of 2012-10-18 23:51:26. If I try to pivot from that event to full pcap, no matching tcp stream is found. If I search for HTTP events for the destination IP I find that the actual HTTP transaction occurred on 2012-10-19 23:01:41. I can pivot to pcap on this HTTP event and confirm that this matches the User Agent that the prads_client event was for. I can also search the sancp table for the destination IP and find the same timestamp of 2012-10-19 23:01:41 (so the sancp output plugin is sending the correct timestamp, but the pads output plugin is not).

Looking at the pads events, they appear to come in batches with the same exact timestamp. So perhaps prads is flushing a buffer only periodically and/or somehow grabbing the timestamp of the first pads event in a series of events?

Any ideas?

Thanks!

In Sguil, I'm only seeing TCP flags for the source IP. Sent screenshot to Edward.

I see that PRADS has a -b option for passing a BPF on the command line, but I don't see an option for a passing a BPF in a file (like bpf.conf). I'm currently emulating this by reading bpf.conf, stripping any comments, and loading into the -b option. It would be nice just to be able to say "-B bpf.conf".

Thanks!

Commit e51be89 changed the Sguil output filename prefix from "stats" (what Sguil's sancp_agent is expecting) to "stat". The end result is that sancp_agent never picks up the file from the sancp directory. The following patch fixes the filename:

--- prads-0.3.2rc1.orig/src/prads.c
+++ prads-0.3.2rc1/src/prads.c
@@ -1383,7 +1383,7 @@ int main(int argc, char *argv[])

     if(config.cxtlogdir){
        char log_prefix[PATH_MAX];
-       snprintf(log_prefix, PATH_MAX, "%sstat.%s", config.cxtlogdir, config.dev?
+       snprintf(log_prefix, PATH_MAX, "%sstats.%s", config.cxtlogdir, config.dev?
                   config.dev : "pcap");
        rc = init_logging(LOG_SGUIL, log_prefix, 0);
        if (rc)

However, I think there may be another issue here as well. It looks like once I apply the patch and sancp_agent picks up the first stats file, prads never outputs any other files.

Any ideas?

Thanks!

PRADS-ME! BY DELTA9
Hullo stranger, your ip is
87.238.43.247

Here's what we got on you:

IP: 87.238.43.247
DNS: dhcp247.varnish-software.com
OS: unknown unknown (0%) 2

Port Service TCP-Application
80 CLIENT

Location: NO, 12, Oslo, N/A, 59.916698, 10.750000, 0, 0
Organization: Varnish Software
Powered by PRADS. Help us improve the quality of our fingerprints. If the stuff above doesn't match, drop us a line and let us know by opening a new issue on the PRADS project page, pasting this whole page as you see it..
Raw log:
87.238.43.247,0,44557,6,SYN,[S10:56:1:60:M1460,S,T,N,W6:.:unknown:unknown:link:ethernet/modem:uptime:11hrs],8,1328627261
87.238.43.247,0,80,6,CLIENT,[http:],8,1328627261
87.238.43.247,0,44558,6,FIN,[274:56:1:52:N,N,T:ATFN:unknown:unknown:uptime:11hrs],8,1328627274
87.238.43.247,0,60166,6,SYN,[S10:56:1:60:M1460,S,T,N,W6:.:unknown:unknown:link:ethernet/modem:uptime:16hrs],8,1328899894
87.238.43.247,0,80,6,CLIENT,[http:],8,1328899894
87.238.43.247,0,60166,6,FIN,[319:56:1:52:N,N,T:ATFN:unknown:unknown:uptime:16hrs],8,1328899904
©opywrong [email protected] u.delta9.pl 2011-10-06, rendered on 2012-02-10 20:11:04 1328901064

Of quick note is the need for rst2man, which on Debian is not a base-package. Then upon installing you have to sym-link it as it is a python script and the make install calls 'rst2man'. Just and FYI... so you may want to add python-docutils to the apt-get statement for package dependencies, along with the symlink...

Hi, when I use prads AND I have openvpn running, after a short while the openvpn route disappears, the client stays connected to the server but the VPN ceases to work (dead PINGs).
Is it only my set-up or someone has the same problem?

Having a problem compiling centos 5 64bit Cant upgrade yet. Latest version from Git

this is the ouput, any help appreciated

gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o bstrlib.o bstrlib.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o sig_tcp.o sig_tcp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o config.o config.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o sys_func.o sys_func.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o assets.o assets.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o prads.o prads.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o dhcp.o dhcp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o dump_dns.o dump_dns.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o mac.o mac.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o servicefp/servicefp.o servicefp/servicefp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o servicefp/tcpc.o servicefp/tcpc.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o servicefp/tcps.o servicefp/tcps.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o servicefp/udps.o servicefp/udps.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o ipfp/ipfp.o ipfp/ipfp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o ipfp/udp_fp.o ipfp/udp_fp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o ipfp/icmp_fp.o ipfp/icmp_fp.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o cxt.o cxt.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_dispatch.o output-plugins/log_dispatch.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_stdout.o output-plugins/log_stdout.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_file.o output-plugins/log_file.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_fifo.o output-plugins/log_fifo.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_ringbuffer.o output-plugins/log_ringbuffer.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -c -o output-plugins/log_sguil.o output-plugins/log_sguil.c
gcc -O3 -DCONFDIR='"../etc/"' -DRELEASE='"-35-gd04aefb"' -D__USE_GNU -o prads bstrlib.o sig_tcp.o config.o sys_func.o assets.o prads.o dhcp.o dump_dns.o mac.o servicefp/servicefp.o servicefp/tcpc.o servicefp/tcps.o servicefp/udps.o ipfp/ipfp.o ipfp/udp_fp.o ipfp/icmp_fp.o cxt.o output-plugins/log_dispatch.o output-plugins/log_stdout.o output-plugins/log_file.o output-plugins/log_fifo.o output-plugins/log_ringbuffer.o output-plugins/log_sguil.o -lpcap -lpcre -lresolv
dump_dns.o: In function dump_dns_sect': dump_dns.c:(.text+0x15d): undefined reference to__ns_parserr'
dump_dns.c:(.text+0x262): undefined reference to __ns_name_uncompress' dump_dns.c:(.text+0x2c5): undefined reference to__ns_name_uncompress'
dump_dns.c:(.text+0x384): undefined reference to __ns_name_uncompress' dump_dns.o: In functiondump_dns':
dump_dns.c:(.text+0x5c7): undefined reference to __ns_initparse' dump_dns.c:(.text+0x5d9): undefined reference to_ns_flagdata'
dump_dns.c:(.text+0x5e5): undefined reference to _ns_flagdata' dump_dns.c:(.text+0x5eb): undefined reference to_ns_flagdata'
dump_dns.c:(.text+0x5f3): undefined reference to _ns_flagdata' dump_dns.c:(.text+0x62f): undefined reference to_ns_flagdata'
dump_dns.o:dump_dns.c:(.text+0x637): more undefined references to `_ns_flagdata' follow
collect2: ld returned 1 exit status
make: *** [prads] Error 1

When passing an ipv6 range to -a such as 2001:7e8::/48 or 2001:7e8::1/48, servers outside that range are matched and reported.

I'm trying to use PRADS as a replacment for pads in my Security Onion distro. I'm using 0.3.1-rc1 from github and am running as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

When I look at PADS events in Sguil I notice that the src and dst ports are identical. For example, an SSH connection with src and dst port 22 or an HTTPS connection with src and dst port 443.

Any help would be appreciated!

Thanks,
Doug

log daemonizing messages to syslog as per ssm's request

Hello,

We're running prads as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

In Sguil, if I query the sancp table and look at the connections, the source and destination bytes are way too big.

Example:

I do the following:
curl testmyids.com

For that connection, Sguil shows the following:
S Bytes: 109704
D Bytes: 43697

If I look at the pcap in Wireshark, it's only 1032 bytes total.

Where did 109704 and 43697 come from?

Thanks!

this is wrong:

prads-asset-report - PRADS Text Reporting Module
0.3 - 2011-10-06
http://github.com/gamelinux/prads/

1 ------------------------------------------------------
IP: 87.238.43.241
DNS: dhcp241.varnish-software.com
OS: unknown unknown (0%) 1

Port Service TCP-Application
80 CLIENT

Location: NO, Norway

My OS is Ubuntu 11.04
My Browser is Chromium 12.0.742.112 (90304) Ubuntu 11.04

Hope this helps!