> > Anyone got hold of SATAN yet? > > Yes, beta testers. No, others not yet. Yes, I *am* holding my breath > waiting :-) I'm getting a demo from a beta tester tomorrow... Dan Farmer's former major professor, no less. Any particular questions you want me to ask? > > Anyone know what to expect if your site is being probed > > by SATAN? I was told that your logs will contain much evidence of the presence of a SATAN scan. It's not a secret when it arrives... since this come from a white hat (as opposed to a black hat) there was no intent to be secretive about the scan - since its supposed to be a sysadmin tool. It also might discourage the black hats from playing with it...since it is an obtrusive tool. > > Apart from the expected port scanning, sendmail, telnet, > > tftp, finger, rpc setup, r-commands, yp, nfs and dns being > > rattled is there anything else that one should look > > out for? It checks binary versions also...to see if you've corrected sendmail, NFS, login, et al and most of the CERT advisories to see if you've taken corrective measures. > This is a very interesting idea. Having SATAN (and ISS and Tiger et al) > having some kind of signature built it. Thus enabling a sysadm knowing > what tools are used to attack. As I said before, this is a sysadmin tool, so the sysadmin should know if it was used by someone else. Sysadmins should at least be even with hackers, if not one step ahead! Why shouldn't a sysadmin run crack on his/her passwd file? Better that he finds the problems that some unknown person, right? Prevention is even one level better than detection.... ---------------------------------------------------------------------- Internet: mshines@ia.purdue.edu | Michael S. Hines Bitnet: michaelh@purccvm | Sr. Information Systems Auditor Purdue WIZARD Mail: MSHINES | Purdue University GTE Net Voice: (317) 494-5845 | 1065 Freehafer Hall GTE Net FAX: (317) 496-1814 | West Lafayette, IN 47907-1065