File: TODO

package info (click to toggle)
prads 0.3.3-7
  • links: PTS, VCS
  • area: main
  • in suites: bookworm
  • size: 2,636 kB
  • sloc: ansic: 10,215; perl: 1,689; sql: 204; makefile: 152; sh: 144; python: 20
file content (167 lines) | stat: -rw-r--r-- 6,423 bytes parent folder | download | duplicates (3) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
 
==========
#TODO Passive Real-time Asset Detection System
==========

2. inform firewall / snort / nessus / satan etc

3. Stateful conntrack => trust rel

4. Fingerprinting techniques
   - SYN/SYNACK
   - FIN, RST, STRAY-ACK
   - DHCP
   - DNS
   - ICMP
   - SNMP
   - retransmission timings
   - statistical /chaotical methods of analysis (think vseq)
   - masq/natdetection

5. p0f - Passive OS fingerprinting...
   - Together with discovering hosts (and trying to get OS from banner strings etc.), PRADS should
     emulate p0f logic to detect OS based on tcp/icmp/udp... fingerprinting...

6. Goes without saying, but adding it as a point : client OS and Client programs fingerprinting:
   Like: "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009020911 Ubuntu/8.10 (intrepid) Firefox/3.0.6 Ubiquity/0.1.5"
         "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
         "Mozilla/5.0 (Windows; U; Windows NT 6.0; fr; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6"
         "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_7; nb-no) AppleWebKit/525.28.3 (KHTML, like Gecko) Version/3.2.3 Safari/525.28.3"

7. Different output plugins...
   - PoC should send to stdout or/and logfile (text). # done, stdout/file
   - Sguil (Add a switch to make the output better for sguil?) # done, see fifo
   - output plugins compatible with:
    -> p0f # messy
    -> pads
    -> sancp # cxtracker
    -> prads.pl (sort of anyway)
    -> nagios
    -> snort (host-attribute-table.xml)
    -> dot / graphviz

8. GUI - by web or "desktop"
   - See your network, different OS and services.
   - See firewalls
   - summaries: severity/vuln/port/proto/ip/
   /net class abc/mail/os/service/ssh/web server/web client/
   /trends/.

9. Webapplication detection!
   - have a sett off known signatures for known webapps,
     say wordpress, drupal, phpmyadmin, and so on, so that
     we can know what Snort/ET/Suricata rules to enable :)
     automatic! 

 Kacper's TODO items & krazy ideas:
====================================

 > design doc! => good design == god API for free
 == easier to make good gui with good api
      /  main program (prads)  \
 packet analyzer -> fingerprint analyzer
   (pradsd)     \-> realtime asset memory
                |==> graphical C&C

 .in-memory asset store API
 .data exchange api? in-memory updates should be available
 for realtime display, db insertion or offline dumping
 .signature matching {SYN,UDP,ICMP,++} based on generated fp

match = signature[hash(fp)]. 
    > Take away multiple matches.
    > Normalize OS, provides "best guess"

 .service fingerprints == good regex module
  finding byte-sigs before regex.
 - NAT detection
 - PRADS console (woot. leet!)
 - trust relationships :-)
 - DDoS detection
 - Flood protection: malloc-free shmem ringbugger
 - phase plane analysis of initial SEQ = fingerprint signatures
 - active prads-informed firewall
 - UPnP. BGP IGMP, multicast, tcp6 etc etc
 - how to do vuln checks? / match to db
- switch/router topology by sniffing OSPF/BGP/RSTP
-.geoip maps ( passive lookup )
-.sniff DNS lookups
 
Optimizations: 
 - .optimize SERVICE matching - reduce universe of regexes to match by
 * optimize PCRE matcher ( try n implementations like snort)
 - use SIMD instructions for parsing & matching (vectorize data)
 ... and OpenCL / CUDA too!
 - profile using rdtsc
 - examine cache locality, TLB misses (cachegrind, perfctr), pipelines,
 instruction pairing

--- random ideas for implementation ---
 - MVCC lockless assets in shared memory ring-buffer (shmat())
    - keep last x updates + random discards / vacuum

 * asset struct / shared fields. keep in same hashfunc : hash lib!
 * sigs -> lookups
 * API for plugins = 
 - Lua plugins
 log / visualize / stats / db insert
 * get prads.c to prads.pl state. superdaemon + subfunction daemons
 -> duplicate the commandline of perl
 * async IO and other scaling factors
 * mobile (wifi,ether,ip,tcp)-frame scanning app for android/iPhone (+ autohack?)
 * autogen nagios host table
 * autogen snort host attributes
 * graphviz dot visualizations
 * realitme / SDL visio map

Edward's TODO items:
=====================
 - fix SERVICE, both TCP and UDP... together with Kacper?
   Need to make it faster, and maybe drop newlines etc.?
   Kacper mentioned precompiling regexp
 - IP statistics... Some way of collecting stats about sessions..
   $session_tracking->{$src_ip}->{$src_port}->{$dst_ip}->{$dst_port}->{ip_type}->{$src_byte}->{$dst_byte}->{$src_packets}->{$dst_packets}->{$start_timestamp}->{$end_timestamp}            ?
   #UDP example: 
   $session_tracking->{10.10.10.12}->{1234}->{10.10.10.14}->{53}->{17}->{102}->{433}->{5}->{21}->{1243504322}->{1243508001}
   #TCP example:
   $session_tracking->{10.10.10.12}->{1234}->{10.10.10.14}->{53}->{6}->{1002021}->{92311}->{39811}->{1021}->{1243504322}->{1243508001}
   #ICMP example:
   $session_tracking->{10.10.10.12}->{0}->{10.10.10.14}->{0}->{1}->{102}->{433}->{5}->{21}->{1243504322}->{1243508001}
   # for icmp $src_port could be $type and $dst_port could be $code ? Im smart... uhh


Minor issues to trac:
 - take a code walk and get rid of copying-around strings and lameness
 like "UNKNOWN"
 - make sanity checker macro's on all API funcs that handle packet fields
  (* packetinfo makes for caller opacity)

Passive DNS : Only on the answer from the DNS SERVER
TIMESTAMP,DNS-SERVER-IP,QUERY-TYPE,QUERY-CLASS,QUERY-DATA,RESURSE-TYPE,RESURSE-CLASS,RESURSE-DATA,MISC
 TIMESTAMP: unixtimestamp
 DNS-SERVER-IP: The ip of the dns server responding
 MISC: Other data in the answer
 foreach additional record $UDP-DNS-PAYLOAD {
  TIMESTAMP,DNS-SERVER-IP,QUERY-TYPE,QUERY-CLASS,QUERY-DATA,RESURSE-TYPE,RESURSE-CLASS,RESURSE-DATA,MISC
 }



DONE
- MAC asset detection # DONE
1. Squil! # DONE
1. Discover host on ICMP too # DONE
2. Discover Network Assets based on ARP. # DONE
3. Internal table of [hosts(IP),services(port-#),ID string(banner of service or string that match),timestamp] # DONE
- Start with SYN fingerprinting... # DONE
- I believe that we should have SYN+ACK also :/ # DONE
- fix up icmp OS fingerprinting # DONE
- fic up UDP  OS fingerprinting # DONE
- Next would be mysql # DONE
   .DBI optimizations> 
   ..async DBI commits
   ..in-mem db + persistance if $PERSIST
 - update UNKNOWN entries when they match.
 - option 76 crash
 - CREATE TABLE failed blah error message.