SATAN Frequently Asked Questions (FAQ)

Last-modified: March 12th, 1995
Version: .7
This FAQ is edited by dan (zen@fish.com).

---

Table of Contents

---

• What is SATAN?
• Why is it called SATAN?
• Why in the hell (ahem) was it written?
• What does it run on?
• How do you get it?
• Is it freeware, Public Domain, Copyrighted...?
• Who did the cool artwork?
• What's the deal? Who cares? Why all the publicity?
• What's the difference between it and COPS?
• What's the difference between it and ISS and other remote scanners?
• What's a remote security auditing tool/probe/scanner?
• Why does it scan sites outside of your own domain?
• Why doesn't it warn remote hosts that it is probing them?
• Who paid for the development?
• Does any company, government, or organization endorse it?
• Why don't you release it just to the white hats (what about the system crackers)?
• What is a .satan file, and how can I write my own?
• How can I write my own rules to teach SATAN about my site?
• How can I teach SATAN to ignore what it thinks is a vulnerability?
• How can I contact the authors?
• Acknowledgements.

---

How can I contact the authors?

Send mail to satan@fish.com (or click on the e-mail address); this will be sent to both of the authors. Failing this, you can send mail directly to dan:

zen@fish.com
or Wietse:
wietse@wzv.win.tue.nl

---

What's the deal? Who cares? Why all the publicity?

---

Why doesn't it warn remote hosts that it is probing them?

---

What's the difference between it and COPS?

COPS is a host-based Un*x security auditing tool; that means you run it on the host you wish to examine the security of. SATAN is a remote network security auditing tool, which means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

---

What's the difference between it and ISS and other remote scanners?

ISS, and any other remote auditing tool that we're aware of, scans a network or remote host and then reports on any problems that it may find. While SATAN does that as well, the inferencing, the web of trust that it uncovers, the automatic probing of secondary targets, the rich reporting schema with context sensitive hypertext links to the documentation, the rich configurability, etc. all make SATAN different to what is currently available.

---

What's a remote security auditing tool/probe/scanner?

This means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

---

Back to the Documentation TOC