[SATAN IMAGE]SATAN Frequently Asked Questions (FAQ)


Table of Contents

(Last-modified: April 2nd, 1995)

General questions

Comparisons, Hype, etc.

Tech stuff

Really important things


How can I contact the authors?

Send mail to satan@fish.com (or click on the e-mail address); this will be sent to both of the authors. Failing this, you can send mail directly to Dan: zen@fish.com or Wietse: wietse@wzv.win.tue.nl

What's the deal? Who cares? Why all the publicity?

SATAN appears to be a tool written at the right time. The current (as of April, 1995) flurry of concern and press about SATAN is not really all about SATAN - anything that is Internet related is big news these days. Combine that with the recent Mitnick/Shimomura hunt and capture, as well as the latest IP spoofing techniques being publicized, and you have, for whatever reason, a big story in SATAN.

There are some technical reasons why SATAN is important - it does do and detect things that weren't possible before, at least by no other tools or methods that the authors knew about. It's easy to use, and fills a gap that was only poorly covered by previous software. However, the death of the Internet is not, and should not be predicted.

Why doesn't it warn remote hosts that it is probing them?

This could be built into satan; the most reliable general solution would be to send mail to the probed system (say, to "root" or "postmaster"). A beta-tester suggested that an entry could be written to the target's syslog. Neither of the solutions are incredibly reliable. The former relies on someone reading the mail and the account existing, as well as having to deal with hundreds if not thousands of pieces of mail that might go to machines that the user of SATAN controls. The latter has several problems, first and foremost in that it depends on people actually looking at the syslog records, and secondly that if an intruder uses SATAN to break in, they will typically "flatten", modify, or simply destroy such records. Finally, many systems don't run or have non-standard syslog programs and quite a few filter out requests with packet filters, so they would never see the warning.

Nonetheless, we'll probably be putting either or both of these as options in the next release of SATAN.

What's the difference between it and COPS?

COPS is a host-based Un*x security auditing tool; that means you run it on the host you wish to examine the security of. SATAN is a remote network security auditing tool, which means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

What's the difference between it and ISS and other remote scanners?

ISS, and any other remote auditing tool that we're aware of, scans a network or remote host and then reports on any problems that it may find. While SATAN does that as well, the inferencing, the web of trust that it uncovers, the automatic probing of secondary targets, the rich reporting schema with context sensitive hypertext links to the documentation, the rich configurability, etc. all make SATAN different to what is currently available.

What's a remote security auditing tool/probe/scanner?

This means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

I'm using a B/W monitor, and it's hard to see the difference between red and black dots. What can I do?

The easiest thing to do is to just mv (or link or whatever) the html/dots/whitedot.gif to html/dots/reddot.gif. That'll give a much higher contrast and should be easier to read.

How can I change from one HTML browser (e.g. Mosaic, Netscape, whatever) to another, without running reconfig or something?

Simply edit the file config/paths.pl. You'll see a line that looks like:
    $MOSAIC = "/usr/local/bin/netscape";
Change the path inside the parenthesis to point to wherever your preferred browser is; for instance, if you want to use Mosaic, and it's in /usr/bin/X11, you'd change the above line to:
    $MOSAIC = "/usr/bin/X11/Mosaic";

Why does SATAN keep fingering the same host(s) over and over again?

SATAN will finger a host repeatedly if it gets new information about the host; for instance, if it finds out that a user might exist on a host, it will finger to try and find out remote login information.

SATAN died (or the machine crashed, or whatever) in the middle of a run - do I have to start everything over again?

SATAN saves data at regular intervals to its database files; the easiest thing to do is to simply start it up again, with the same target and probe levels. If SATAN has remembered anything, it will grind away for awhile, finding out what it has seen before, and then resume on the targets that it hasn't scanned.

How can I tell if anyone is running SATAN against me?

CIAC wrote and is distrbuting something called Courtney, but it is far from foolproof. It is very difficult to detect the lighter SATAN scans; the heavier ones, however, are typically best detected by running Wietse's tcpd wrappers and examining the logs - a good tipoff is if many of your machines in the same area log connections from the same remote site. Some of the SATAN probes output a message to the console - if users report odd messages on their console screen, take them seriously ;-)

{When is the port of/can you help me port/do you have any information on porting} SATAN to MacOS/DOS/VMS/MVS/Whatever?

SATAN, at least on the server side, is heavily linked to Un*x and perl5. While it might be possible to port SATAN to one of these other OS's (if you can call them that! ;-)) would be fairly difficult and not something that either one of us wants to touch with a ten foot (or ~ 3 meter) pole.

I see a lot of odd files that are appearing on my system after running SATAN, such as /tmp/sh11318, tmp_file.1288, etc. What's the deal?

SATAN uses perl extensively in it's tests; the .satan probes use such commands as:

    open(FOO, "|program <<_EOF
    some input
    more input
    _EOF");
This will leave a temporary file behind when SATAN determines that they have run out of time and kill off the probe. Almost all temporary files that are created at various time within the SATAN are deleted automatically, but since the << files are created internally by the shell, it is impossible for SATAN to know how to delete the files that remain. Simply delete them, or create a cron job to automatically sweep the /tmp directory for you.

Why doesn't SATAN check for [insert your favorite bug here]?

There are several reasons why SATAN does not probe for all known bugs:


Back to the Documentation TOC