SATAN Configuration Management

Scanning levels and timeouts

Satan data directory

What probe level should I use?

Light

Normal

Heavy

What timeout values should I use?

Slow

Medium

Fast

What signal should I send to kill a tool process when it times out?

Kill signal

How far out from the original target should I probe? (Under no circumstances should this be higher than "2" unless you're POSITIVE you know what you're doing!)

Maximal proximity

As I move out to less proximate hosts, how much should I drop the probe level?

Proximity descent

When I go below 0 probe level, should I:

Stop

Go on

Should I do subnet expansion; that is, should I probe just the target or its entire subnet?

Just the target

The entire subnet

Does porcupine.org appear in rhosts, hosts.equiv or NFS exports files of hosts being probed?

You are running SATAN from a possibly trusted host

You are running SATAN from an untrusted host

Patterns specifying hosts to limit the probe to

	podunk.edu

If you only want to probe sites on a particular subnet, you could use, for example:

	192.9.9

You can specify multiple shell-like patterns, separated by whitespace or commas, and you may mix networks and domains. A host will be scanned when it matches any pattern: either a network number prefix or an internet domain suffix.

Patterns specifying hosts to NOT probe

	mil, gov

You can specify multiple shell-like patterns, separated by whitespace or commas, and you may mix networks and domains. A host will be skipped when it matches any pattern: either a network number prefix or an internet domain suffix.

Workarounds for broken DNS, ICMP etc.

Use nslookup to look up fully-qualified (host.domain) host names

Don't use nslookup: DNS is unavailable.

Ping hosts to see if they are alive (skip non-responding hosts).

Don't ping hosts: ICMP does not work.