Re: SATAN's Footprint?
MICHAEL S. HINES (MSHINES@freh-02.adpc.purdue.edu)
Tue, 28 Mar 1995 07:49:37 EST
> > Anyone got hold of SATAN yet?
>
> Yes, beta testers. No, others not yet. Yes, I *am* holding my breath
> waiting :-)
I'm getting a demo from a beta tester tomorrow... Dan Farmer's former
major professor, no less.
Any particular questions you want me to ask?
> > Anyone know what to expect if your site is being probed
> > by SATAN?
I was told that your logs will contain much evidence of the presence
of a SATAN scan. It's not a secret when it arrives... since this
come from a white hat (as opposed to a black hat) there was no intent
to be secretive about the scan - since its supposed to be a sysadmin
tool. It also might discourage the black hats from playing with
it...since it is an obtrusive tool.
> > Apart from the expected port scanning, sendmail, telnet,
> > tftp, finger, rpc setup, r-commands, yp, nfs and dns being
> > rattled is there anything else that one should look
> > out for?
It checks binary versions also...to see if you've corrected sendmail,
NFS, login, et al and most of the CERT advisories to see if you've
taken corrective measures.
> This is a very interesting idea. Having SATAN (and ISS and Tiger et al)
> having some kind of signature built it. Thus enabling a sysadm knowing
> what tools are used to attack.
As I said before, this is a sysadmin tool, so the sysadmin should
know if it was used by someone else. Sysadmins should at least be
even with hackers, if not one step ahead! Why shouldn't a sysadmin
run crack on his/her passwd file? Better that he finds the problems
that some unknown person, right?
Prevention is even one level better than detection....
----------------------------------------------------------------------
Internet: mshines@ia.purdue.edu | Michael S. Hines
Bitnet: michaelh@purccvm | Sr. Information Systems Auditor
Purdue WIZARD Mail: MSHINES | Purdue University
GTE Net Voice: (317) 494-5845 | 1065 Freehafer Hall
GTE Net FAX: (317) 496-1814 | West Lafayette, IN 47907-1065