This file is nothing more than perl code that gets run when the program initializes; don't be intimidated by that, however - it is fairly easy to read and is heavily commented (if you don't know perl, comments (lines that don't do anything) are lines that start with a sharp/pound sign ("#")). Variables are tokens that start with a dollar sign; values of 0 or null ("") typically mean false, unless otherwise noted.
The easiest way to explain all of the options is by simply going over each line in the file and explain what it does:
# Default attack level (0=light, 1=normal, 2=heavy, 3=all-out.) $attack_level = 0;This sets the attack level, which in turn tells SATAN which probes to use ( see below) against a target host.
Which Probes Correspond to the Attack Level
This section is a bit tricky; the 4 types of probes (light, normal,
heavy, and all-out) each have a set of programs that they use when
probing a remote system. As with any of the other variables in the
program used, these can be changed as desired; the programs that are
run assume that a ".satan" extension will be added to the program in
question (e.g. "rpc" gets expanded to "rpc.satan" before SATAN attempts
to run it.)
However, there is one twist; not all probes are run, even though they might be listed under an attack level. If a SATAN probe has a question mark ("?") appended to the variable name, it will run conditionally. What does this mean? Take, for instance, the NFS SATAN checker. There is no reason to run it if the remote system isn't running NFS (indeed, you shouldn't run it, because the program will waste time timing out on the remote host), so SATAN will only run this if it determines that NFS is being run.
So, examining the first few lines in this section reveals:
# Probes by attack level. # # ? Means conditional, controlled by rules.todo. # *? Matches anything controlled by rules.todo, including intrusive probes. $light = "dns rpc showmount?";
This means that a light scan will run the "dns.satan" and the "rpc.satan" scans, and the "showmount.satan" if it determines that the target is running NFS. The last comment line means that if there is a "*?", the attack level will tell SATAN to run any command that is conditional.
A bit further down shows:
$normal = "$light rusers? nfs-chk? boot? finger portscan-normal"; $normal_tcp_scan = "70 80 ftp telnet smtp nntp uucp"; $normal_udp_scan = "53 177"; $heavy = "$normal portscan-heavy *?"; $heavy_tcp_scan = "1-2050 6000-6100 7002"; $heavy_udp_scan = "1-2050 32767-33500";Nothing unusual here, except for the tcp and udp scan numbers; these refer to the port numbers that SATAN examines for signs of activity.
# status file; keeps track of what probe is currently running and at what time it started $status_file = "status_file";
# # timeout values # $slow_timeout = 60; $med_timeout = 20; $fast_timeout = 10;All SATAN probes are launched with the same timeout value, which can be set from the command line or from the HTML interface. SATAN defaults to a medium timeout value.
When a timeout occurs, a signal is sent to the process running to stop
it. This defaults to "9", which basically means that the process is toast:
# what signal we send to nuke things when they timeout: $timeout_kill = 9;
Proximity refers to how close the current target is from the original target of the SATAN probe. For instance, if you probe "victim.com" and find that "nic.ddn.mil" is its nameserver, then "nic.ddn.mil"'s proximity level would be "1", and SATAN might probe that host next, depending on the rules you choose.
The number of hosts SATAN scans can grow exponentially, so again, be careful!
# # Proximity variables; how far out do we attack, does severity go down, etc. # # how far out from the original target do we attack? $max_proximity_level = 0;SATAN defaults to 0, which means that it will only scan the primary targets selected.
As SATAN gets farther away from the primary target, the attacks will get weaker - this presumes that you can attack your own sites as much as desired, but since you might not know where SATAN will end up, you'd like to be cautious the farther away the probes are going from your own host.
# Attack level drops by this much each proximity level change $proximity_descent = 1;This value is subtracted from the current attack level - a value of zero means that attacks do not diminish in strength.
If the attack level goes below zero, do you stop or go on? The "$sub_zero_proximity" variable determines this:
# when we go below zero attack severity, do we stop (0) or go on (1)? $sub_zero_proximity = 0;SATAN will, by default, examine only one target at a time. If the "$attack_proximate_subnets" variable is set to "1", then ALL targets on the secondary target's subnet will be scanned. Be VERY careful when changing this!a
# a question; do we attack subnets when we nuke a target? # 0 = no; 1 = primary target subnet $attack_proximate_subnets = 0;
$only_attack_these = "\.edu$";Similarly, there is a variable, "$dont_attack_these" that tells SATAN not to attack a RE. Looking at the last part of the configuration file gives further examples of this:
# # Any exceptions on who we want to hit? E.g., stay away from the mil sites? # Also, you can specify *only* hit sites of a certain type; e.g. .edu # # # If this is non-null, ignore the other var, and *only* hit sites if # they are of this type. This is a regex, so don't blame me if the ".edu" # you put in here doesn't work as expected... remember backslashes and # meta chars. In general, the only two things you'll use are dots/periods, # which you must backslash, and either a carat ("^") to indicate the beginning # of an IP address or a dollar sign ("$") to indicate the tail end of a # host/domain type. # # Examples: # # $only_attack_these = "\\.edu$"; # $only_attack_these = "^192\\.9\\.9\\."; # # $only_attack_these = "";Note that by default, both strings are set to null (""), which means that SATAN will probe any site that it deems proper. And finally, the last bit of configuration file that shows more examples for the "$dont_attack_these" variable:
# # don't attack anyone with this regexp. Be *careful*! Rexexps can # be weird! # # Example - don't attack military sites: # # $dont_attack_these = "\\.mil$"; $dont_attack_these = "";
Back to the TOC/Index