Extending SARA
One of the best parts of SARA is that it is so easy to modify, configure,
and add your own probes and vulnerability checks to the system.
All of the probes are files that end in .sara and are kept
in the bin subdirectory; the rules to add new vulnerability
checks are in the rules subdirectory (see the section on
sara rules for more information on
the rulesets.) SARA tests for vulnerabilities are roughly done as follows:
- Initial data collection, via .sara files. Save this info into
the database (ASCII text files). This will be either informational or
vulnerability data.
- When the user fires up the HTML browser, SARA examines the database
for explicit vulnerabilities, then checks the rulesets to see if it can
infer other vulnerabilities (such as finding an old sendmail version or
something.)
If you want to add another .sara test - perhaps checking for
the latest sendmail bug or something - there are a few things
that must be done, depending on your test:
- Create an executable that checks for the problem you'd like to scan
for. It generally will take one argument - a hostname that is the
target of the probe.
- Have the probe output a valid SARA output record - see the
SARA database format document for more on
this.
- If it is a C program or something that must be processed or
compiled before being run, either modify an existing SARA makefile to
do so, or create your own.
- Decide what severity level it will be run at; either light,
normal, or heavy, and modify the appropriate variable
in the sara.cf file.
If you want to modify the rulesets, see the
sara rules section to see how to
create a rule that will check for a vulnerability.
Finally, you'll want to create an information file (we call them tutorials.)
This explains the vulnerability, tells how to fix or otherwise deal with
the problem, points to applicable CERT or vendor advisories, etc. There
are examples of these in the html/tutorials/vulnerabilities
subdirectory.
Important! Look at the canonical output of the tool (see the
sara database for more details on
this) - for instance, for REXD, it's "REXD access".
The filename will be identical to the canonical output, with underbars
("_") instead of spaces, with an ".html" suffix. E.g.,
for REXD, the filename is REXD_access.html.
That's it! Place the executable (or have make do so after
processing the source file) in the bin SARA subdirectory with
the rest of the .sara files. It will be run against any target
that has an attack level that corresponds to your probe.
If you're feeling really womanly or manly, and want to give your news
tests or changes to the world, the best thing to do is to generate a
patch using the diff command that can be run against the latest released
version of SARA. Feel free to send it to:
sara@fish.com
Back to the Reference TOC/Index