[SARA IMAGE]SARA Frequently Asked Questions (FAQ)


Table of Contents

(Last-modified: 15 October, 2001)

General questions

SANS Top 20

Troubleshooting

(Getting it to work/run at all)

(Problems when running it)

Comparisons, Hype, etc.

Tech stuff

Really important things


Hostname Problem

SARA can not find the IP address for your hostname. Find you hostname by typing the command "hostname". This will indicate your hostname. Check the /etc/hosts file to see if there is a reference to the hostname.

Linux Showmount

If you did not load the NFS client and or server when you installed Linux, showmount was not loaded. Install the NFS client/server to load showmount.

Netscape Problem

There was a problem with Netscape (and most other browsers that have a predefined definition for perl and associated action).

For most versions of Netscape, the following is true: the definition for perl points to the perl application. The deinition should be changed so that (1) the MimeType is text/html and (2) "Handled By" is set to Navigator. To do this on Netscape, select:

Edit -> Preferences -> Navigator -> Applications -> Perl Program -> Edit

Standalone Operation

SARA requires a network environment in order to function. Such a network environment can be provided by the loopback device (lo). Follow the steps below (example performed on a Linux box):

How can I contact the authors?

Sendmail to Bob Todd with comments, suggestions, and bug reports.

When I try to run SARA, it says (something like): "missing right bracket at perl/getfqdn.pl line 48, at end of line"

You need to upgrade your version of perl - you're probably using the alpha version of perl5.

What do I need to uncompress the SARA tar file?

To uncompress the archives, you'll need to use the Un*x uncompress program if it ends in ".Z", or the GNU unzip if it ends in ".gz".

Where do I get a version of perl that will work?

perl5 is available via anonymous ftp from sunsite.unc.edu.

When I try to run SARA, it says (something like): "Can't locate ctime.pl in @INC at perl/status.pl line 5."

ctime.pl is bundled with perl5; if you've installed that, you should have it - look for it in the library subdirectories. If it's there, as a last resort you can copy "ctime.pl" (and perhaps "getopts.pl" into the main SARA directory, and SARA should find it there.

When I try to run sara I get "Xlib:connection to ":0.0" refused by server"

You can do a "xhost +hostname", where "hostname" is the host you're running it on, and try again. Also, look at the problems with X, networks, and SARA

I'm trying to get SARA to compile on my ULTRIX box. Why won't it work/where is rpgen?

DEC/Ultrix doesn't have "rpcgen". You'll need to run it on another machine and move the resulting files to the Ultrix platform.

SARA doesn't find any hosts at all - it starts and stops with "(0 host(s) visited)". This is bogus! Give me my money back!

Calm down. You probably can't use ICMP to detect if a host is alive or not. Try setting "$dont_use_ping=1" in config/sara.cf (it's near the bottom.) It should work, or we'll give you double your money back.

SARA crashed, hung, or did very odd things to a system that it was run against.

We've received reports of various OS's that seem to have significant trouble with SARA scans, particularily the UDP and TCP scans that span lots of ports. Among the afflicted:

I ran SARA to analyze my results and the machine slows grinds down to a standstill (and possibly crashes), but I don't get any answers.

It could be, with a large amount of data, that SARA is using too much memory to fit in your machine. An enormous amount of memory is consumed by the program (see memory requirements for more on this.) Try checking the memory used by SARA on your machine; if it needs more, get more memory - adding swap space is a very painful way of trying to deal with this.

Given that Satan starts its own http server on the local host, why doesn't it use 'localhost' instead of the FQDN of the local host when trying to contact it?

This breaks some HTML browsers. Try running with $dont_use_nslookup (found in config/sara.cf) when your naming service is crippled.

Whenever I click on a hyper link it doesn't work.

Be careful if you use proxy services (typically if you're behind a firewall you do) to access the WWW - you should unset environment variables (such as $http_proxy $file_proxy, $socks_ns, etc.) and/or change your browser's configuration to not use your SOCKS host or HTTP Proxy host (in your HTML browser's option section.)

I merged some databases together with the "merge" function in the SARA Data Management, but when I exited SARA, they weren't saved. What gives?

The database merging only works in memory. Currently there is no way to save this to disk (until the next version of SARA.)

I get "bin/tcp_scan: socket: Too many open files" in the window from which I start Satan.

The machine's open file table is getting exhausted. Tcp_scan backs off and succeeds after a few attempts. You'll need to build a bigger kernel or run less processes.

I'm trying to get SARA running on my Linux box.

It does. SARA works with most versions of Linux with a 2.x.x kernel. It has bee tested on Red Hat 4.x, 5.x and Slackware 3.x.

Why doesn't it warn remote hosts that it is probing them?

This could be built into sara; the most reliable general solution would be to send mail to the probed system (say, to "root" or "postmaster"). A beta-tester suggested that an entry could be written to the target's syslog. Neither of the solutions are incredibly reliable. The former relies on someone reading the mail and the account existing, as well as having to deal with hundreds if not thousands of pieces of mail that might go to machines that the user of SARA controls. The latter has several problems, first and foremost in that it depends on people actually looking at the syslog records, and secondly that if an intruder uses SARA to break in, they will typically "flatten", modify, or simply destroy such records. Finally, many systems don't run or have non-standard syslog programs and quite a few filter out requests with packet filters, so they would never see the warning.

Nonetheless, we'll probably be putting either or both of these as options in the next release of SARA.

What's the difference between it and TARA?

TARA is a host-based Un*x security auditing tool; that means you run it on the host you wish to examine the security of. SARA is a remote network security auditing tool, which means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

What's the difference between it and ISS and other remote scanners?

ISS, and any other remote auditing tool that we're aware of, scans a network or remote host and then reports on any problems that it may find. While SARA does that as well, the inferencing, the web of trust that it uncovers, the automatic probing of secondary targets, the rich reporting schema with context sensitive hypertext links to the documentation, the rich configurability, etc. all make SARA different to what is currently available.

SAINT is another remote scanner based on SATAN. It is a good product but relatively limited application to date. Also, SAINT does not have an optional report writer.

What's a remote security auditing tool/probe/scanner?

This means it can report on the security of any host OR network that has IP connectivity to where you run the tool; you don't need an account or privileges on the remote targets to report on them.

I'm using a B/W monitor, and it's hard to see the difference between red and black dots. What can I do?

The easiest thing to do is to just mv (or link or whatever) the html/dots/whitedot.gif to html/dots/reddot.gif. That'll give a much higher contrast and should be easier to read.

How can I change from one HTML browser (e.g. Mosaic, Netscape, whatever) to another, without running reconfig or something?

Simply edit the file config/paths.pl. You'll see a line that looks like:
    $MOSAIC = "/usr/local/bin/netscape";
Change the path inside the parenthesis to point to wherever your preferred browser is; for instance, if you want to use Mosaic, and it's in /usr/bin/X11, you'd change the above line to:
    $MOSAIC = "/usr/bin/X11/Mosaic";

Why does SARA keep fingering the same host(s) over and over again?

SARA will finger a host repeatedly if it gets new information about the host; for instance, if it finds out that a user might exist on a host, it will finger to try and find out remote login information.

SARA died (or the machine crashed, or whatever) in the middle of a run - do I have to start everything over again?

SARA saves data at regular intervals to its database files; the easiest thing to do is to simply start it up again, with the same target and probe levels. If SARA has remembered anything, it will grind away for awhile, finding out what it has seen before, and then resume on the targets that it hasn't scanned.

How can I tell if anyone is running SARA against me?

CIAC wrote and is distrbuting something called Courtney, but it is far from foolproof. It is very difficult to detect the lighter SARA scans; the heavier ones, however, are typically best detected by running Wietse's tcpd wrappers and examining the logs - a good tipoff is if many of your machines in the same area log connections from the same remote site. Some of the SARA probes output a message to the console - if users report odd messages on their console screen, take them seriously ;-)

{When is the port of/can you help me port/do you have any information on porting} SARA to MacOS/DOS/VMS/MVS/Whatever?

SARA, at least on the server side, is heavily linked to Un*x and perl5. While it might be possible to port SARA to one of these other OS's (if you can call them that! ;-)) would be fairly difficult and not something that either one of us wants to touch with a ten foot (or ~ 3 meter) pole.

I see a lot of odd files that are appearing on my system after running SARA, such as /tmp/sh11318, tmp_file.1288, etc. What's the deal?

SARA uses perl extensively in it's tests; the .sara probes use such commands as:
    open(FOO, "|program <<_EOF
    some input
    more input
    _EOF");
This will leave a temporary file behind when SARA determines that they have run out of time and kill off the probe. Almost all temporary files that are created at various time within the SARA are deleted automatically, but since the << files are created internally by the shell, it is impossible for SARA to know how to delete the files that remain. Simply delete them, or create a cron job to automatically sweep the /tmp directory for you.

Why doesn't SARA check for [insert your favorite bug here]?

There are several reasons why SARA does not probe for all known bugs:

Back to the Document/CVE TOC