SARA(8) SARA(8)
NAME
sara - network security scanner
SYNOPSIS
sara [options] [primary_target(s)...]
DESCRIPTION
SARA (Security Auditor's Research Assistant), a derivitive of the
Security Administrator Tool for Analyzing Networks (SATAN), remotely
probes systems via the network and stores its findings in a database.
The results can be viewed with any Level 2 HTML browser that supports
the http protocol (e.g. Mosaic, Netscape (see NOTE below), etc.)
primary_targets(s) can specify a:
host (e.g., www.micosoft.com),
range
(e.g., 192.168.0.12-192.168.0.223)
subnet
(e.g., 192.168.0.0/23)
When no primary_target(s) are specified on the command line, SARA
starts up in interactive mode and takes commands from the HTML user
interface.
When primary_target(s) are specified on the command line, SARA
collects data from the named hosts, and, possibly, from hosts that it
discovers while probing a primary host. A primary target can be a host
name, a host address, or a network number. In the latter case, SARA
collects data from each host in the named network.
SARA can generate reports of hosts by type, service, vulnerability and
by trust relationship. In addition, it offers tutorials that explain
the nature of vulnerabilities and how they can be eliminated.
SARA Reporter (tm) is an enterprise level report writer that
integrates bar charts, tables of vulnerabilities, host details, and
tutorials into a single Microsoft Word importable document.
By default, the behavior of SARA is controlled by a configuration file
(config/sara.cf). The defaults can be overruled via command-line
options or via buttons etc. in the HTML user interface.
Options:
-a Attack level (0=light, 1=normal, 2=heavy, 3=extreme, 4=custom0,
5=custom1, 6=custom-2). At level 0, SARA collects information
about RPC services and from the DNS. At level 1, SARA collects
banners of well-known services such as telnet, smtp and ftp, and
- 1 - Formatted: December 17, 2025
SARA(8) SARA(8)
can usually establish the type of operating system. At level 2,
SARA does a more extensive (but still non-intrusive) scan for
services. Level 2 scans may result in console error messages.
At level 3, some tests may disrupt unpatched Microsoft Windows
products (95, 98, NT) but searchs for more exploits including
distributed denial of service daemons. Levels 4, 5, and 6 can be
customized to perform specific probes. Custom attack levels are
defined in the Configuration Management page.
-A proximity_descent
While SARA extracts information from primary targets, it may
discover other hosts. The proximity_descent controls by how much
the attack level decreases when SARA goes from primary targets to
secondary ones, and so on. The -z option determines what happens
when the attack level reaches zero.
-c 'name=value; name=value...'
Change the value of arbitrary SARA variables. Example:
-c 'dont_use_dns = 1; dont_use_nslookup = 1'.
The -c option allows you to control configuration and other
variables that do not have their own command-line option. The
format is a list of name=value pairs separated by semicolons.
Variable names have no dollar prefix, and values are not quoted.
Whitespace within values is preserved.
-C option directs the SARA Reporter to ignore specified hosts with
particular vulnerabilities (e.g., possible false positives).
-d database
Specifies the name of the database to read from and to save to
(default sara_data).
When multiple SARA processes are run in parallel, each process
should be given its own database (for example, one database per
subnet of 256 hosts). Use the merge facility of the HTML user
interface to merge data from different runs.
-D Run SARA in Daemon mode on the port specified in config/sara.cf.
This enbales remote execution of SARA.
-i Ignore the contents of the database.
-I plugin
ignore the named plugin (without pi extension). Specify "all" to
ignore all plugins.
-f Sets the SARA probes (fwping and tcp_scan) to scan a firewalled
network.
- 2 - Formatted: December 17, 2025
SARA(8) SARA(8)
-F file
Reads the hosts to be scanned from file.
-l proximity
Maximal proximity level. Primary targets have proximity 0, hosts
discovered while scanning primaries have proximity level 1, and
so on. SARA ignores all hosts that exceed the maximal proximity
level.
-n perform nmap OS fingerprinting
-o only_attack_these
A list of domain names and/or network numbers of hosts that SARA
is permitted to scan. List elements are separated by whitespace
or commas. Understands the * shell-like wildcard.
-O dont_attack_these
A list of domain names and/or network numbers that SARA should
stay away from. The list has the same format as with the -o
option.
-p Reduce packet density. Useful for slow machines networks.
-P concurrent
Allow multiple concurrent processing. SARA will spawn a maximum
of concurrent processes.
-r Generate SARA Report. See sara.cf for configuration option.
(command line only). Report is loaded in the results database as
report.html
-s Subnet expansion. For each primary target, SARA finds all alive
hosts in the target's subnet (a block of 256 addresses).
-S status_file
While collecting data, SARA maintains a status file with the last
action taken. The default status file is status_file.
-t level
Timeout level (0 = short, 1 = medium, 2 = long) for each probe.
-T time
Specifies that SARA will start execution at the identified time
[#]. Time can be specified in many way:
days-hour:min (e.g., 1-16:33. SARA will start at 1630 localtime
tomorrow).
yy/mm/dd-hour:min (e.g., 2000/09/24-16:33. SARA will start at
1630 on 24 Sep 2000)
- 3 - Formatted: December 17, 2025
SARA(8) SARA(8)
A "#" character added to the end of the time string will instruct
SARA not to execute the operation if the time has passed.
-u Specifies that SARA is being run from an untrusted host. Access
via, for example, the remote shell or network file system
services, means that there is a security problem.
-U Opposite of the -u option. SARA may be run from a possibly
trusted host. Access via, for example, the remote shell or
network file system services is not necessarily a problem.
-v Verbose mode. SARA prints on the standard output what it is
doing. This is useful for debugging purposes.
-V SARA prints its version number and terminates.
-z When scanning non-primary hosts, continue with attack level of
zero when the level would become negative. The scan continues
until the maximal proximity level is reached.
-Z Opposite of the -z option.
NOTE
While using older versions of Netscape, the user may experience
problems when clicking on the menu buttons. Specifically, Netscape
may prompt the user to save a *.pl file. Refer to the online
documentation -> FAQ for configuration options to rectify this
problem.
FILES
config/* configuration files
rules/* rule bases
results/* data bases
AUTHORS
SARA: Bob Todd
SATAN: Dan Farmer, Wietse Venema
- 4 - Formatted: December 17, 2025
