January 26, 2006

SARA, spawn of SATAN

Author: Paul Virijevich

If you are an old school Linux or Unix user, you probably remember the System Administrator's Tool for Scanning Networks (SATAN). In 1995, SATAN brought browser-based network auditing to the world. Despite its initial splash, SATAN fell to the wayside due to lack of updates. Thanks to the kind folks at the Advanced Research Corp., SATAN is back, in the form of the Security Auditor's Research Assistant (SARA), a kinder, gentler, easier to use, and more updated auditing tool.

Installing SARA is simple. As long as you've got Perl and a Web browser, you're good to go. In fact, SARA even runs on Windows 2000/XP via a customized coLinux installation. Let's play it safe, though, and stick with the *nix version. Just download, extract the tarball, and perform the customary ./configure; make; make install as root. Launch SARA as root with the command /usr/local/sara/sara. Those who fear the command line can relax; the rest is done through your Web browser.

SARA can take advantage of other open source software. If it detects nmap, you can choose to use it as the engine for port scanning instead of SARA's built-in engine. This allows SARA to utilize nmap's operating system detection feature in its reports. Start SARA with the -n option to enable nmap.

With SARA, you can audit individual hosts, networks, and everything in between using the browser-based interface. You can audit remote hosts by specifying their IP address or fully qualified domain name, but let's start by scanning the machine running SARA. To do this, select the Target Selection link from the main menu on the left side and enter localhost in the dialog box. Under Scanning Level Selection, choose normal.

SARA's speed depends on what scanning level you choose. Choices are light, normal, heavy, or custom. I found that heavy scanning took a few minutes per host on a switched 100Mbps LAN. This is about twice as long as it takes to scan the computer SARA is running on itself. Light scanning goes much faster, but does not perform as many checks.

If you are wondering just what checks SARA performs with its different scan levels, you are not alone. The SARA documentation does not provide any details on which scans are performed using the different levels. You can, however, find out by watching the browser window when the scan is running. The light scan appears to check only that the system is up. The normal scan checks for DNS, FTP, HTTP, SMTP, Telnet, NNTP, XDMCP, and UUCP. The heavy scan seems to check just about every UDP and TCP port available. I could not tell the difference between heavy and extreme scans. For now, just stick with SARA's suggested setting, normal.

Once SARA finishes a scan, if all you want is some general information on the host and its services, click on the "view primary target results" link at the bottom of the page. If you want more detailed information, including state-of-the-art bar graphs, click on the "continue to with report and analysis" link.

From here, you can check out host and vulnerability information. Just click on any of the links for more information. This is also where you will find the SARA Report Writer, one of SARA's most useful features. The SARA Report Writer generates reports in HTML, XML, and CSV format. You will probably want to stick with HTML in order to see the results of your scan in the browser.

The first thing you will notice is a bar chart depicting the number of hosts found and severity of any vulnerabilities. The bars are color coded:

  • Green - Services found that were not exploitable
  • Grey - No services or vulnerabilities
  • Red - Services with potentially severe exploits (account compromise)
  • Yellow - Services with potentially serious exploits found (data compromise)
  • Brown - Possible security problems

The SARA Report Writer adds information from previous scans to its results every time you generate a report. This makes it easy to see the number and severity of vulnerabilities for any given number of hosts. The "Data Management" link from the main menu allows you to fine-tune what search results you will see in reports. It also allows you to generate reports with results from specific scans.

All of your scan results are saved. You can view results at any time by using the "Data Analysis" link on the menu. From here, you can review vulnerable services as defined by the Common Vulnerabilities and Exposures (CVE) project. The vulnerabilities will show up as links to more information on the specifics of the vulnerabilities.

It is important to point out that SARA does not actually check your system for specific vulnerabilities. Instead, it looks for vulnerable services from its CVE database. If it finds a service with a CVE entry, you'll get the corresponding CVE alert. Just because an alert comes up does not mean your systems is vulnerable. If SARA finds services with reported vulnerabilities, use this as an opportunity to make sure those services are up to date and secure.

So where does SARA fit in? SARA is a good tool for letting you what know what is on your network (that's where the auditing part of its title comes in), but it is not a full-scale vulnerability scanner like Nessus. Although it provides you with CVE advisories for the services it finds, it is not meant to provide up-to-the-minute information on security flaws. In fact, SARA does not receive daily, or even weekly, updates. Advanced Research Corp. has a goal of two updates per month. However, at this time it looks like updated versions are being released monthly.

My advice is to use SARA when you want to get a quick and dirty overview of you network and the services running on it. Its user interface is simple and the SARA Report Writer is an effective tool for showing where potential security hazards lie.

Paul Virijevich is working to eliminate the "Linux consultants cost more" TCO myth. He recently started a consultancy providing cost-effective open source solutions to small businesses.

Click Here!