One of the best parts of SATAN is that it is so easy to modify, configure, and add your own probes and vulnerability checks to the system. All of the probes are files that end in .satan and are kept in the bin subdirectory; the rules to add new vulnerability checks are in the rules subdirectory (see the section on satan rules for more information on the rulesets.) SATAN tests for vulnerabilities are roughly done as follows: If you want to add another .satan test - perhaps checking for the latest sendmail bug or something - there are a few things that must be done, depending on your test:
  1. Create an executable that checks for the problem you'd like to scan for. It generally will take one argument - a hostname that is the target of the probe.
  2. Have the probe output a valid SATAN output record - see the SATAN database format document for more on this.
  3. If it is a C program or something that must be processed or compiled before being run, either modify an existing SATAN makefile to do so, or create your own.
  4. Decide what severity level it will be run at; either light, normal, or heavy, and modify the appropriate variable in the satan.cf file.
If you want to modify the rulesets, see the satan rules section to see how to create a rule that will check for a vulnerability.

Finally, you'll want to create an information file (we call them tutorials.) This explains the vulnerability, tells how to fix or otherwise deal with the problem, points to applicable CERT or vendor advisories, etc. There are examples of these in the html/tutorials/vulnerabilities subdirectory.

Important! Look at the canonical output of the tool (see the satan database for more details on this) - for instance, for REXD, it's "REXD access".

The filename will be identical to the canonical output, with underbars ("_") instead of spaces, with an ".html" suffix. E.g., for REXD, the filename is REXD_access.html.

That's it! Place the executable (or have make do so after processing the source file) in the bin SATAN subdirectory with the rest of the .satan files. It will be run against any target that has an attack level that corresponds to your probe.

If you're feeling really womanly or manly, and want to give your news tests or changes to the world, the best thing to do is to generate a patch using the diff command that can be run against the latest released version of SATAN. Feel free to send it to:


Back to the Reference TOC/Index