The purpose of this talk is to improve an administrator's awareness of the hosts and services on a network using open source tools. First I will introduce dhcpdump, a tool to sniff DHCP traffic. Admins can use this tool to keep track of IP addresses assigned to systems as they join a network, independent of any logs kept by the DHCP server. Next I will explain the Passive Asset Detection System (PADS), a tool which watches network traffic and records the services it sees. This program helps an admin passively enumerate services; it is not an active assessment application like Nessus.

After PADS, I will describe P0f. This tool determines the operating system of hosts it sees communicating on the network. It complements PADS, which does not make OS guesses.

Finally I will provide information on the Security Analyst Network Connection Profiler (SANCP). SANCP is a session data collection program which passively summarizes conversations on the network. It can track TCP flows and estimates sessions for stateless protocols like UDP and ICMP. SANCP is integrated with Sguil, the subject of my talk at BSDCan 2004.

All of these programs work on UNIX and most are in the FreeBSD ports tree. I will give installation instructions and sample output from each. Should I have any extra time to spare, I may cover other open source tools for NSM purposes. I have a few others in mind already. I'll probably build a case study around using these tools.

speaker: Richard Bejtlich

location not assigned