DOKK / manpages / debian 12 / pads / pads.8.en
PADS(8) System Manager's Manual PADS(8)

pads - Passive Asset Detection System

pads <DhUvV> <-c file > <-d file > <-g group > <-i interface > <-n network(s) > <-p file > <-r file > <-u file > <-w file > <expression>

PADS is a libpcap based detection engine used to passively detect network assets. It is designed to complement IDS technology by providing context to IDS alerts.

Goals:

- Passive: Records and identifies traffic seen on a network without
actively "scanning" a system. There will never be a packet sent from
the pads application.

- Portable: Has the ability to be placed easily on a remote system.
Does not require additional external libraries other than those
associated with libpcap.

- Lightweight: Logging is sent to a simple CSV file. There is no need
for a database or other data repository installed on the local
machine. All correlation is done outside of the pads program.

Display help / usage information.

Run PADS in the background (daemon mode).

Dump banner data into a libpcap formatted file. This feature will dump the matched packet or the first 4 packets of an unmatched connection into a specified file. This can be used to further identify a service and also aid with signature development.

Please keep in mind that this feature must be compiled into the application in order to use it. This can be done by adding ´--enable-banner-grab' to the 'configure' step.

This switch allows you to specify a group that PADS will drop to after the libpcap interface has been initialized.

Display help

Specify an interface to be used.

Specify a set of networks to be monitored. Only assets that exist within these networks will be recorded. The networks should be specified in the following format: 10.10.10.0/24,192.168.0.0/16 .

This switch allows you to specify a PID file to be used in conjunction with daemon (-D) mode.

Read packets from a libpcap formatted file.

This switch allows you to specify a user that PADS will drop to after the libpcap interface has been initialized.

Dump data into a file other than assets.csv.

selects which packets will be processed. Please see tcpdump(1) for details on the libpcap primitives.

pads.conf(8), pads-report(8), pads-archiver(8), tcpdump(8), pcre(3)

Copyright (C) 2004 Matt Shelton <matt@mattshelton.com>

Please send bug reports to the author.

Matt Shelton <matt@mattshelton.com>

2005/06/17