Info About SATAN

The SATAN scanning tool was written by Dan Farmer and Wietse Venema. It is designed to scan a Unix host or set of Unix hosts on an IP network and report about well-known security vulnerabilities.

The release of this tool in 1995 engendered a great deal of discussion and debate about security tools. This was undoubtedly one motive of the authors. However, they appear to have taken care to only scan for known vulnerabilities, and to include pointers to information on how to fix the problems found. Overall, SATAN should be very helpful to legitimate system admins in securing their systems.

Security Note

There is a potential security problem if you use version 1.0 (version 1.1.1 is most current) of SATAN and also visit other WWW pages from the same invocation of the browser (as you might do while waiting for a scan to finish). Be sure to see the full description by Matthew Gray. This is probably the same vulnerability described in CERT's alert number 95:07 and CIAC's bulletin F-22.

SATAN Source

The COAST Security Archive has a copy of version 1.1.1 of the SATAN tool source available for public downloading. A PGP signature is available to allow you to verify the integrity of the version you download (Wietse's PGP public key is also available here). The README file for version 1.1.1 is also available.

You can browse a list of the distribution mirror sites if you want to find other distribution points.

Dan Farmer's SATAN WWW page might also be of interest.


We have the on-line documentation shipped with version 1.0 of SATAN available for browsing using WWW.

Information on SATAN

The CERT has issued a bulletin describing the operation of SATAN and how to combat the threats it poses. This is available in the archive as CA-95:06.satan.

Comprehensive information about SATAN is also available from the AUSCERT (Australian CERT).

The CIAC has also provided information on SATAN . This gives details on how SATAN runs, what it searches for, what vulnerabilties should be fixed, how to fix them and how to detect SATAN scans on your system. This document is also available in the COAST archive in text form. A subsequent warning was as bulletin F-20.

Some vendors and response teams have assembled platform-specific warnings and hints: for Sun Microsystems computers, Silicon Graphics computers, IBM AIX, and for HP computers. The CIAC has issued additional advisories specifically for AIX machines and SGI machines.

Morning Star Technologies has a special post on how their Morning Star Express products interact with SATAN.

Finally, the FIRST secretariat also provides information on SATAN, including links to previously mentioned sites.

Detecting SATAN Scans

SATAN performs scans which will leave "fingerprints" if your system is correctly instrumented. By having a variety of logging tools installed, you can detect a SATAN scan of your system by looking for these abnormal patterns of network activity.

The CIAC has provided a tool called Courtney. It uses the tcpdump package to analyse network traffic. This is then interpreted by a PERL script to look for characteristic SATAN packets. This must be run as root.

Robert Evans has written a tool called NATAS that does a simplistic check for SATAN scans. It listens on random ports for a sequence of connections.

Los Altos Technologies has also provided a free tool to detect SATAN, known as Gabriel.

The COAST group at Purdue have released a general-purpose detector for port scans that also recognizes SATAN.

Some SATAN Humor

The following showed up in Spaf's mailbox on April 6, 1995. It included a statement that the author is unknown. The mail was sent by Ric Forrester <>

Top 10 Ways You Can Tell SATAN Has Invaded Your Network

10. All keys except the '6' suddenly disabled
9. Your monitor starts spinning around in circles
8. File server starts emitting pea soup
7. Your router begins sending outgoing packets to
6. 10Base-T wire flies up and wraps around roving sysadmin
5. Your bastion host starts smoking
4. Anonymous FTP rips off its mask to reveal horns and a goatee
3. X terminals become XXX terminals
2. Standard UNIX prompt replaced by inverted cross

and the number one way you can tell SATAN is inside your network:

1. Your firewall turns into a ring of flame

We will post updates here if we get them.

* Return to COAST homepage.