Passive Network Audit Framework (PNAF)

PNAF is a framework intended to provide the capability of getting a security assessment of network platforms by analyzing in-depth the network traffic (in a passive way) and by providing a high-level interpretation in an automated way. It combines different analysis techniques and tools. The framework is intended to achieve the following goals:

Architecture

• To be a flexible, scalable and modular framework
• To provide an accurate analysis of network platforms
• To provide a useful API in order to develop further features and improvements (not included on 0.1.2 prototype, but on next 0.2.x)

Functional

• Summary of the Security Level of the network
• Findings of anomalous activities
• Findings of security audit policy
• Findings of impact analysis (e.g. based on CVE)
• Summary of security recommendations
• Reference of evidence

ARCHITECTURE

PNAF is comprised of three main modules. Each module has its own engines which manage specific tools and process the data. PNAF is written in Perl, why? because of Perl rules!

DCM – DATA COLLECTION MODULE

1. NTCE – Network Traffic Capture Engine
2. NCPE – Network Traffic Pre-processing Engine

DPM – DATA PROCESSING MODULE

1. NPEE – Network Profiling and Enumeration Engine
   • p0f : Network and service enumeration
   • prads : Network and service enumeration
2. IDSE – Network Intrusion Detection Engine
   • Suricata
   • Snort
   • Bro
   • Barnyard : Unified2 reader
3. NFAE – Network Flow Analysis Engine
   • Cxtracker : Basic flow data summary
   • Argus : Flow data analysis
   • Yaf : Flow data analysis
   • Silk: Flow data analysis
   • Tcpdstat : Protocol statistics
4. DPIE – Deep Packet Inspection Engine
   • Chaoreader : Application data extraction “any-snarf”
   • Nftracker: File extraction
   • Xplico: Application data extraction (url, files, …)
   • Httpry : HTTP data logger
   • ssldump: SSLv3/TLS data tracker
   • Dnsdump: DNS data extraction
   • Passivedns: Passive DNS data collection
   • Dnscap: DNS capture utility (tcpdump-like for DNS)
   • Tcpxtract : File extraction
   • Tcpdump: Pcap filtering
5. NSAE – Network Security Audit Engine
   • Pnaf-auditor

DVM – DATA VISUALIZATION MODULE (TODO — Dev)

• WDVE – Web Data Visualization Engine
• GSVE – Graphic Security Visualization Engine
• SARE – Security Audit Report Engine
• DIEE – Data Import/Export Engine

Install

apt install autoconf automake binutils-dev bison build-essential byacc ccache cmake dsniff flex g++ gawk gcc libcap-ng-dev libcli-dev libdatetime-perl libdumbnet-dev libfixposix0 libfixposix-dev libgeoip-dev zlib1g zlib1g-dev libgetopt-long-descriptive-perl libglib2.0-cil-dev libjansson4 libjansson-dev libldns-dev liblzo2-2 libnet1-dev libmagic-dev libmysql++3 libmysqlclient-dev libmysql++-dev libnacl-dev libncurses5-dev libldns1 libnetfilter-conntrack-dev libnetfilter-queue1 libnetfilter-queue-dev libnet-pcap-perl libnfnetlink0 libnfnetlink-dev libnl-3-dev libnl-genl-3-dev libpcap-dev libpcre3 libpcre3-dbg libpcre3-dev libsqlite3-dev libssl-dev liburcu-dev libyaml-0-2 libyaml-dev liblzo2-dev openssl pkg-config python-dev python-docutils sqlite3 swig git-core libglib2.0-dev libtool tcpslice tcpick tshark tcpflow ethtool

git clone https://github.com/jusafing/pnaf.git
./install.sh
cd build/pnaf/Pnaf
perl Makefile.PL
make
make test
make install // (as root)

USAGE

Execution:

--debug                 : Enable debug mode

--conf                  : Specify configuration file (yaml)

--help                  : Show this

--version               : Show tools versions

--parser arg1[,arg2]    : Specify parsers to be loaded

    'p0f'               : Process enumeration data

    'prads'             : Process enumeration data

    'argusFlow'         : Process NFA data (flow analysis)

    'snortAppId'        : Process enumeration data (App identification)

    'httpry'            : DPI over HTTP (URL's, UA, etc)

    'tcpdstat'          : Process enumeration data (protocol dist)

    'suricataEve'       : Process IDS data (alerts and payloads)

    'bro'               : DPI over different protocols

    'tcpflow'           : Process NFA data (session tracking)

--out_dataset           : Specify the kind of output data to generate

    'all'               : Generate all datasets

    'audit'             : Generate only audit dataset

--home_net              : Specify the 'homenet' in CIDR format

--payload               : Flag to enable payload decoding (IDS data)



Inputs:

--cap_file              : Set input capture file (pcap)

--audit_dict            : Path to vulnerability dictionary

--instance_dir          : Path to directory with 'initial raw dataset'



Logging:

--log_dir  		: Path to log directory

--log_file 		: Path to output directory

Tutorial

Copyright (C) 2014 by Javier Santillan

Source: https://github.com/jusafing/