The SATAN configuration file:


  1. Attack Level
  2. The What's and Where's of the Current Probe
  3. Timeout Signals
  4. Targeting Exceptions

The SATAN configuration file ("satan.cf") is VERY important! Almost everything SATAN does when scanning hosts and networks is controlled through this file; how hard to probe the targets, how far the probes will spread from the original host, what tests will be run, etc. While a limited number of configuration options can be controlled via the HTML user interface, the very low-level variables must be configured by manually editing this file.

This file is nothing more than perl code that gets run when the program initializes; don't be intimidated by that, however - it is fairly easy to read and is heavily commented (if you don't know perl, comments (lines that don't do anything) are lines that start with a sharp/pound sign ("#")). Variables are tokens that start with a dollar sign; values of 0 or null ("") typically mean false, unless otherwise noted.

The easiest way to explain all of the options is by simply going over each line in the file and explain what it does:

Attack Level

# Default attack level (0=light, 1=normal, 2=heavy, 3=all-out.)
$attack_level = 0;
This sets the attack level, which in turn tells SATAN which probes to use ( see below) against a target host.

Which Probes Correspond to the Attack Level

This section is a bit tricky; the 4 types of probes (light, normal, heavy, and all-out) each have a set of programs that they use when probing a remote system. As with any of the other variables in the program used, these can be changed as desired; the programs that are run assume that a ".satan" extension will be added to the program in question (e.g. "rpc" gets expanded to "rpc.satan" before SATAN attempts to run it.)

However, there is one twist; not all probes are run, even though they might be listed under an attack level. If a SATAN probe has a question mark ("?") appended to the variable name, it will run conditionally. What does this mean? Take, for instance, the NFS SATAN checker. There is no reason to run it if the remote system isn't running NFS (indeed, you shouldn't run it, because the program will waste time timing out on the remote host), so SATAN will only run this if it determines that NFS is being run.

So, examining the first few lines in this section reveals:

# Probes by attack level.
#
# ? Means conditional, controlled by rules.todo.
# *? Matches anything controlled by rules.todo, including intrusive probes.
$light = "dns rpc showmount?";

This means that a light scan will run the "dns.satan" and the "rpc.satan" scans, and the "showmount.satan" if it determines that the target is running NFS. The last comment line means that if there is a "*?", the attack level will tell SATAN to run any command that is conditional.

A bit further down shows:

$normal = "$light rusers? nfs-chk? boot? finger portscan-normal";
$normal_tcp_scan = "70 80 ftp telnet smtp nntp uucp";
$normal_udp_scan = "53 177";

$heavy = "$normal portscan-heavy *?";
$heavy_tcp_scan = "1-2050 6000-6100 7002";
$heavy_udp_scan = "1-2050 32767-33500";
Nothing unusual here, except for the tcp and udp scan numbers; these refer to the port numbers that SATAN examines for signs of activity.

Status File

SATAN keeps track of what the latest attack is in a file. This filename is stored in "$status_file" and is updated before each new probe runs:
# status file; keeps track of what probe is currently running and at what time it started
$status_file = "status_file";

Timeouts

Certain network probes will "hang", or continue to try to contact the remote host for a very long time. To prevent this from slowing down the overall scan, there are three timeout values (in seconds) that SATAN recognizes:
#
# timeout values
#
$slow_timeout = 60;
$med_timeout = 20;
$fast_timeout = 10;
All SATAN probes are launched with the same timeout value, which can be set from the command line or from the HTML interface. SATAN defaults to a medium timeout value.

Timeout Signals

When a timeout occurs, a signal is sent to the process running to stop it. This defaults to "9", which basically means that the process is toast:
# what signal we send to nuke things when they timeout:
$timeout_kill = 9;

Proximity Variables

This is probably the most critical variable in the entire SATAN program. Under NO circumstances do you want to set this to anything over "3" unless you know EXACTLY what you're doing! Anything over "0" can affect sites other than your own.

Proximity refers to how close the current target is from the original target of the SATAN probe. For instance, if you probe "victim.com" and find that "nic.ddn.mil" is its nameserver, then "nic.ddn.mil"'s proximity level would be "1", and SATAN might probe that host next, depending on the rules you choose.

The number of hosts SATAN scans can grow exponentially, so again, be careful!

#
# Proximity variables; how far out do we attack, does severity go down, etc.
#
# how far out from the original target do we attack?
$max_proximity_level = 0;
SATAN defaults to 0, which means that it will only scan the primary targets selected.

As SATAN gets farther away from the primary target, the attacks will get weaker - this presumes that you can attack your own sites as much as desired, but since you might not know where SATAN will end up, you'd like to be cautious the farther away the probes are going from your own host.

# Attack level drops by this much each proximity level change
$proximity_descent = 1;
This value is subtracted from the current attack level - a value of zero means that attacks do not diminish in strength.

If the attack level goes below zero, do you stop or go on? The "$sub_zero_proximity" variable determines this:

# when we go below zero attack severity, do we stop (0) or go on (1)?
$sub_zero_proximity = 0;
SATAN will, by default, examine only one target at a time. If the "$attack_proximate_subnets" variable is set to "1", then ALL targets on the secondary target's subnet will be scanned. Be VERY careful when changing this!a
# a question; do we attack subnets when we nuke a target?
# 0 = no; 1 = primary target subnet
$attack_proximate_subnets = 0;

Targeting Exceptions

Since SATAN can (and will, in all likelihood) probe sites that might not be what you expect, and sometimes will probe sites that you don't want it to. Exceptions are a way to prevent SATAN from going where you don't want it probe. There are two ways of setting this up, and as per usual, each is controlled by a variable name. The "$only_attack_these" variable is a perl regular expression (RE; RE's are a sort of pattern matching language) that tells SATAN to only attack hosts that match that RE. For example, if you wanted SATAN to only attack educational sites, you could say:
$only_attack_these = "\.edu$";
Similarly, there is a variable, "$dont_attack_these" that tells SATAN not to attack a RE. Looking at the last part of the configuration file gives further examples of this:
#
# Any exceptions on who we want to hit?  E.g., stay away from the mil sites?
# Also, you can specify *only* hit sites of a certain type; e.g. .edu
#

#
# If this is non-null, ignore the other var, and *only* hit sites if
# they are of this type.  This is a regex, so don't blame me if the ".edu"
# you put in here doesn't work as expected... remember backslashes and
# meta chars.  In general, the only two things you'll use are dots/periods,
# which you must backslash, and either a carat ("^") to indicate the beginning
# of an IP address or a dollar sign ("$") to indicate the tail end of a
# host/domain type.
#
# Examples:
#
# $only_attack_these = "\\.edu$";
# $only_attack_these = "^192\\.9\\.9\\.";
#
#
$only_attack_these = "";
Note that by default, both strings are set to null (""), which means that SATAN will probe any site that it deems proper. And finally, the last bit of configuration file that shows more examples for the "$dont_attack_these" variable:
#
# don't attack anyone with this regexp.  Be *careful*!  Rexexps can
# be weird!
#
#  Example - don't attack military sites:
#
# $dont_attack_these = "\\.mil$";
$dont_attack_these = "";

Of course, reading the perl code in the various modules can give more hints on all of these configuration file options.
Next Section (SATAN rulesets)

Back to the TOC/Index