Re: SATAN ATTACKS EVERYWHERE

[spp () vx com (Stephen Potter)]

This doesn't have anything directly to do with firewalls, so I've taken
them out of the distribution.  For that matter, it probably doesn't belong
on bugtraq either, maybe this discussion should be moved to news
(alt.security, or comp.security.misc)?

On Apr 10, 12:42am, Wolfgang Ley wrote:
> cklaus () iss net sez:
> > Hey, are we still here?? Looks like we survived the numerous attacks
> > from hordes of hackers armed with SATAN with the only desire
> > to pillage and pilfer everyone's networks.  The Internet has survived
> > another mega hype negative story!

Amazing, itsn't it.  IDNPF11! (Imminent death of the net predicted, film at
11:00.)  If you haven't figured it out yet, no tool that anyone can design
is going to bring down the net.  It just won't happen.

> > For some reason, I really can't see tons of hackers using SATAN for several
> > reasons:

Oh goody.  There's a tool out there that I can use to protect myself that
the crackers can't use to hurt me.  Isn't that a shame for all the little
crackers out there.

> I have never seen a "real" Unix system with 16 meg total memory (phys.
> memory and swap space). I'm not talking about your poor PC running
> linux or something like that...

Actually, it happens in the real world fairly often:

xxx% dmesg | grep mem | head -1
mem = 16384 K (0x100000)

I've got at least a couple of machines here like that.  Mostly sparc1 and
sparc1+.  Old machines that don't have a huge use (all our development
takes place on Indys and a couple of Sparc 5s and 10s).

Granted, these machines do have more swap space (about 64m).

> > 2. It requires installing other packages like perl.  Most hackers aren't
> > able to run anything unless it's a no brainer script.  "Gee the bad thing
> > is we've been hacked and someone used SATAN, the good thing is that we
> > got perl5 and a web browser installed."
> with deep knowledge about computers) won't have problems installing
> perl... Every normal sys-admin is able to install perl - it's one
> of the easiest to install packages that are available.

Not to mention that any SA worth his salary has perl around anyway.  If you
don't, you're either extremely underworked (and unnecessary) or creating
more work for youself so that you look/are overworked and ignorant of the
great help it can be.  Heck, I've got perl scripts around to do just about
everything.  Ok, so maybe I'm biased being a regular on comp.lang.perl and
the Perl FAQ maintainer, but I still think its an indispensible tool.

> Hmm. My very personal opinion is that you not tried to be objective
> nor did you read the full documentation and understood the principles of
> SATAN.

I don't know... based on the following information, I'm wondering about the
ethics of this person.  I find it in really poor taste to bash a competing
product just to try and make yours look better.  I know its generally
considered ok on TV now (remember when you used to never mention your
competitor's name at all?), but I still don't like it.

> > On a side note,  I have released ISS 1.3 which is available on ftp.iss.net
> > /pub/iss/iss13.tar.gz which includes many more checks than what SATAN
> > has specified.  Also, it doesn't require installing any other
> > outside packages, is in C, and doesn't require large amounts of ram
> > nor disk space.

I hope this is a heck of a lot better than the last version I had (don't
remember what version, it was awhile back).  It didn't do anything useful
for me at all.  I was using cops (the PERL version ;-) and didn't see a use
for ISS.

> 1. Includes more checks?
>    This is not a problem. The main goal of the current release of
>    SATAN was to bring out the package right now so it can't be stopped,
>    to get feedback for bug-fixes and (later) add more tests.

How easy is it to add new checks to ISS?  How easy is it to add them to
SATAN?  How easy is it to add them to COPS and RSCAN (another good security
program written in perl)?  I'll admin, I haven't had a chance to play with
SATAN yet, but from the stories I've heard maybe I'll just wait for the
next version.

> 2. Doesn't require installing other packages?
>    Oh - nice. How will it work on my Solaris 2.x machine (out of the box)
>    that has no C-compiler?

Of course the answer to this is how are you going to install perl without a
compiler?  But hey, don't answer me, I'm supposed to be on your side.  ;-)

Steve
--
Stephen P Potter                spp () vx com           Varimetrix Corporation
2350 Commerce Park Drive, Suite 4                           Palm Bay, FL 32905
(407) 676-3222                                            CAD/CAM/CAE/Software