1PADS(8)                     System Manager's Manual                    PADS(8)
2
3
4

NAME

6       pads - Passive Asset Detection System
7
8

SYNOPSIS

10       pads <DhUvV> <-c file > <-d file > <-g group > <-i interface > <-n net‐
11       work(s) > <-p file > <-r file > <-u file > <-w file > <expression>
12
13

DESCRIPTION

15       PADS is a libpcap based detection engine used to passively detect  net‐
16       work  assets.  It is designed to complement IDS technology by providing
17       context to IDS alerts.
18
19       Goals:
20
21       - Passive:  Records and identifies traffic seen on  a  network  without
22       actively
23         "scanning"  a  system.    There  will never be a packet sent from the
24       pads
25         application.
26
27       - Portable:  Has the ability to be placed easily on  a  remote  system.
28       Does not
29         require  additional  external  libraries  other than those associated
30       with
31         libpcap.
32
33       - Lightweight:  Logging is sent to a simple CSV file.  There is no need
34       for a
35         database  or  other  data  repository installed on the local machine.
36       All
37         correlation is done outside of the pads program.
38
39

OPTIONS

41       -h     Display help / usage information.
42
43
44       -D     Run PADS in the background (daemon mode).
45
46
47       -d file
48              Dump banner data into a libpcap formatted  file.   This  feature
49              will  dump  the  matched  packet  or  the  first 4 packets of an
50              unmatched connection into a specified file.  This can be used to
51              further  identify a service and also aid with signature develop‐
52              ment.
53
54              Please keep in mind that this feature must be compiled into  the
55              application  in  order  to  use  it.  This can be done by adding
56              '--enable-banner-grab' to the
57
58
59       -g group
60              This switch allows you to specify a group that PADS will drop to
61              after the libpcap interface has been initialized.
62
63
64       -h     Display help
65
66
67       -i interface
68              Specify an interface to be used.
69
70
71       -n network list
72              Specify  a  set  of  networks to be monitored.  Only assets that
73              exist within these networks  will  be  recorded.   The  networks
74              should     be     specified    in    the    following    format:
75              10.10.10.0/24,192.168.0.0/16 .
76
77
78       -p pid file
79              This switch allows you to specify a PID file to be used in  con‐
80              junction with daemon (-D) mode.
81
82
83       -r file
84              Read packets from a libpcap formatted file.
85
86
87       -u user
88              This  switch allows you to specify a user that PADS will drop to
89              after the libpcap interface has been initialized.
90
91
92       -w file
93              Dump data into a file other than assets.csv.
94
95
96        expression
97              selects which packets will be processed.  Please see  tcpdump(1)
98              for details on the libpcap primitives.
99
100

SEE ALSO

102       pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)
103
104

COPYRIGHT

106       Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>
107
108

BUGS

110       Please send bug reports to the author.
111
112

AUTHORS

114       Matt Shelton <matt@mattshelton.com>
115
116
117
118                                  2005/06/17                           PADS(8)