One of the best parts of SATAN is that it is so easy to modify, configure,
and add your own probes and vulnerability checks to the system.
All of the probes are files that end in .satan and are kept
in the bin subdirectory; the rules to add new vulnerability
checks are in the rules subdirectory (see the section on
satan rules for more information on
the rulesets.) SATAN tests for vulnerabilities are roughly done as follows:
If you want to add another .satan test - perhaps checking for
the latest sendmail bug or something - there are a few things
that must be done, depending on your test:
- Initial data collection, via .satan files. Save this info into
the database (ASCII text files). This will be either informational or
- When the user fires up the HTML browser, SATAN examines the database
for explicit vulnerabilities, then checks the rulesets to see if it can
infer other vulnerabilities (such as finding an old sendmail version or
If you want to modify the rulesets, see the
satan rules section to see how to
create a rule that will check for a vulnerability.
- Create an executable that checks for the problem you'd like to scan
for. It generally will take one argument - a hostname that is the
target of the probe.
- Have the probe output a valid SATAN output record - see the
SATAN database format document for more on
- If it is a C program or something that must be processed or
compiled before being run, either modify an existing SATAN makefile to
do so, or create your own.
- Decide what severity level it will be run at; either light,
normal, or heavy, and modify the appropriate variable
in the satan.cf file.
Finally, you'll want to create an information file (we call them tutorials.)
This explains the vulnerability, tells how to fix or otherwise deal with
the problem, points to applicable CERT or vendor advisories, etc. There
are examples of these in the html/tutorials/vulnerabilities
Important! Look at the canonical output of the tool (see the
satan database for more details on
this) - for instance, for REXD, it's "REXD access".
The filename will be identical to the canonical output, with underbars
("_") instead of spaces, with an ".html" suffix. E.g.,
for REXD, the filename is REXD_access.html.
That's it! Place the executable (or have make do so after
processing the source file) in the bin SATAN subdirectory with
the rest of the .satan files. It will be run against any target
that has an attack level that corresponds to your probe.
If you're feeling really womanly or manly, and want to give your news
tests or changes to the world, the best thing to do is to generate a
patch using the diff command that can be run against the latest released
version of SATAN. Feel free to send it to:
Back to the Reference TOC/Index