{{:pandda_title.jpg}} {{:pandda_logo.png?400}} **PAssive Network Device Discovery and Analysis** [[:en:get_started|🔗 Get Started!]] ===== 👔 Asset management ===== After network flows are collected, they are processed using **NEMEA** modules, which extracts valuable insights for security analysts and network administrators. Instead of just recording raw communication, NEMEA filters relevant data, enriches it with domain knowledge, and transforms it into **actionable insights about network devices**. This processed information is stored in **ADiCT** (Asset Discovery, Classification, and Tagging), a system that maintains long-term profiles of detected devices. ADiCT runs on the open **DP³** platform and supports various modules for enhanced network visibility. ==== Key Modules ==== === IP Activity Monitoring === * Tracks communication volume of devices. * Counts network flows, packets, and bytes in **10-minute intervals**. * Labels activity levels (e.g., **idle, medium, high**) for easy monitoring. === Open Ports Detection === * Identifies **open ports** on network devices by analyzing traffic. * Helps administrators detect running services and potential vulnerabilities. * Data is periodically sent to ADiCT for tracking. === Service and OS Recognition (Recog Module) === * Analyzes service banners (e.g., **SSH, SMTP**) to identify: * **Device types** * **Operating systems & versions** * **Running services** * Helps detect outdated or vulnerable software, improving security. === Domain Name Lookup === * Resolves **IP addresses** into domain names for **better device identification**. === DNS Open Resolver Detection === * Identifies **misconfigured DNS resolvers** that could be exploited for cyberattacks. * Warns administrators of potential security risks (e.g., **DDoS amplification**). === Long-Term Storage === All collected data is stored in **ADiCT**, allowing users to **track historical device activity**. The system is designed for **future expansion**, supporting additional modules to further enhance network security and device monitoring. ==== PANDDA GUI ==== The PANDDA infrastructure includes a user interface for the ADiCT system. The PANDDA GUI displays the stored data and allows filtering and querying. For security reasons, access to the interface is only allowed to authorized users based on a login name and password set by the [[en:configurator|installation tool]]. While other components of the PANDDA infrastructure are based on pre-existing software, the GUI was developed specifically for the PANDDA project. List of IPs (main page) The main page of the user interface is an overview of IP addresses (picture below) consisting of filters and a paginated table with current data. The table contains the IP address, device name, list of open ports, activity class, and an open DNS resolver indicator. All of this data can be filtered. {{ :en:pandda-gui-0.2.3-1.png?900 }} IP detail Clicking on any IP address in the table displays its details. The IP address details (picture below) contain current data, as well as a complete history of data according to the configuration. In the page's header, there is a selector for selecting a time. This can be selected using simple relative data, for example. -7 days, -24 hours, etc.; or it is possible to enter an exact date and time. The displayed history always corresponds to the time window between the selected time and 24 hours before that. The displayed data contains a list of open ports, including the level of trust (confidence), banners of SSH and SMTP services from the Recog module, and a graph of IP address activity - the number of bytes transferred, packets, and the number of flows on the network. {{ :en:pandda-gui-0.2.3-2.png?900 }}