SATAN is an automated network vulnerability scanner (Satan)

About this signature or vulnerability

RealSecure Network, RealSecure Server Sensor:

This signature detects if a SATAN normal or heavy scan of a computer is taking place.

This signature was replaced by Satan_FTP and Satan_UDP.


False positives

RealSecure Network, RealSecure Server Sensor: Though unlikely, a UDP scan of a host might trigger this signature. At this time, there are no known applications that would do this.

Default risk level

Low risk vulnerability  Low

Sensors that have this signature

RealSecure Network: 1.0, RealSecure Server Sensor: 5.5.2

Systems affected

Various vendors Any application

Type

Pre-attack Probe

Vulnerability description

SATAN is a publicly available tool that probes a network for security vulnerabilities and misconfigurations. It is sometimes used by administrators and often used by attackers to search for vulnerabilities on a network. Information provided by SATAN could be useful to an attacker in performing an attack.

The shareware version of SATAN was widely distributed on the Internet and is still used within the Internet community at large.

How to remove this vulnerability

Examine the source of the scan. A scan that originates from inside your organization is not as suspicious as a scan that originates from outside your organization. If the scan originates from the outside, identify the scanning entity and determine the intent of the scan.

References

SATAN Release Information
What SATAN is
http://www.fish.com/satan/summary.html

Wietse's tools and papers
SATAN (satan-1.1.1.tar.Z)
ftp://ftp.porcupine.org/pub/security/index.html

CERT Advisory CA-1995-07a
SATAN Vulnerability: Password Disclosure
http://www.cert.org/advisories/CA-1995-07.html

CERT-NL Security Bulletin S-95-10
SATAN / SANTA
http://cert.surfnet.nl/s/1995/S-95-10.asc

CERT-NL Security Bulletin S-95-10.HP
SATAN/SANTA specifics for HP systems
http://cert.surfnet.nl/s/1995/S-95-10.HP.asc

CERT-NL Security Bulletin S-95-10.SUN
SATAN/SANTA specifics for SUN systems[2]
http://cert.surfnet.nl/s/1995/S-95-10.SUN.asc

CERT-NL Security Bulletin S-95-10.SGI
SATAN/SANTA specifics for SGI systems
http://cert.surfnet.nl/s/1995/S-95-10.SGI.asc

CERT-NL Security Bulletin S-95-10.AIX
SATAN/SANTA specifics for IBM AIX
http://cert.surfnet.nl/s/1995/S-95-10.AIX.asc

CERT-NL Security Bulletin S-95-10.DEC
SATAN/SANTA specifics for Digital products
http://cert.surfnet.nl/s/1995/S-95-10.DEC.asc

SCO Security Bulletin 95:02a
SCO response to CERT Advisory CA-95:06
ftp://ftp.sco.com/SSE/security_bulletins/SB.95:02a

Hewlett-Packard Company Security Bulletin HPSBUX9504-026
Preparing Your HP-UX System for SATAN
http://us-support.external.hp.com

SGI Security Advisory 19950401-01-I
Release of SANTA/SATAN tool and SGI specifics
ftp://patches.sgi.com/support/free/security/advisories/19950401-01-I

CERT Advisory CA-1995-06
Security Administrator Tool for Analyzing Networks (SATAN)
http://www.cert.org/advisories/CA-1995-06.html

CIAC Network Monitoring Tools
Courtney
http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtney

CIAC Network Monitoring Tools
Gabriel
http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Courtneyhttp://ciac.llnl.gov/ciac/ToolsUnixNetMon.html#Gabriel

ISS X-Force
SATAN is an automated network vulnerability scanner
http://www.iss.net/security_center/static/426.php

CVE
CVE-1999-0151
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0151