PRADS not capturing service banner like PADS

[dougburks]

I'm trying to use PRADS as a replacment for pads in my Security Onion distro. I'm using 0.3.1-rc1 from github and am running as follows:

prads -i eth0 -c $conf -u sguil -g sguil -L
/nsm/sensor_data/$SENSOR/sancp/ -f /nsm/sensor_data/$SENSOR/pads.fifo
-b 'ip or (vlan and ip)'

When I look at PADS events in Sguil and select "Display Detected
Banner", it's always "PRADS CLIENT" or "PRADS SERVER", whereas PADS gives me the actual detected banner like "Apache 1.2.3.4..."

Any help would be appreciated!

Thanks,
Doug

[comotion]

it's true, we don't output the service banner yet. however, thanks to your bug report it's now high on our priority list. what we do now is output the maching part of the service fingerprint regex, and that is missing from the fifo.
expect us to first push a fix to put the matching service fingerprint into the fifo, and then later on fix the design by storing the banner in the service asset.

[comotion]

it's important to note however that "Apache 1.2.3" in PADS is not a banner but PADS catching the Server: header of the packet. Service banners are the type of stuff the server sends in the first packet after a connect but before any request is made from the client.

[dougburks]

For my planning, are you able to provide an ETA for this? Thanks!

[comotion]

we're trying to plan out how to support this feature atm

[dougburks]

OK, thanks!

[archembo]

Hello,

Any update about this issue?

Regards

[LiamRandall]

Also curious about this issue.