Re: SATAN footprint

[robert_david_graham () yahoo com (Robert Graham)]

Archive: http://msgs.securepoint.com/ids
FAQ: http://www.ticm.com/kb/faq/idsfaq.html
IDS: http://www-rnks.informatik.tu-cottbus.de/~sobirey/ids.html
UNSUBSCRIBE: email "unsubscribe ids" to majordomo () uow edu au
--- "Chapple, Michael J. 1LT" <mjchapp () tycho ncsc mil> wrote:
> Does anyone know of a good reference that describes the "footprint" or
> signature of a Satan probe at the TCP/IP level?

SATAN contains multiple "probes", which be enabled/disabled. Several of these
probes have distinctive signatures (i.e. patterns within ping packets).

When doing what you request, everybody simply downloads SATAN, puts a sniffer
on the wire, then runs a scan against somebody. I don't know of anybody that
has written it up. Thus, if you want all the details, you have to run SATAN
with a Sniffer itself.

I hope you do realize that SATAN is obsolete and useless. It was a cool concept
when introduced (and you can't beat the name), but it hasn't been maintained.
Virtually any other scanner is a superset of SATAN (e.g. Nessus). In other
words, if you are researching SATAN for anything other than historical
purposes, you are barking up the wrong tree.

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com