SAINT Documentation
WWDSI
SAINT Home
--------

SAINT Database Format

There are four databases in SAINT:

The "facts" database

The facts database keeps track of all vulnerabilities detected, services offered, and any other information SAINT is able to collect throughout the scan. All information found in the facts database is in the form of text records. In each record are eight fields, each separated by a pipe ("|") character. The inferences and conclusions found in this database are always in the same format.

The fields in the facts database are:

  1. Target
  2. Service
  3. Status
  4. Severity
  5. Trusted
  6. Trustee
  7. Canonical Service Output
  8. Text

Target

The Target field contains the name of the host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated. For example, finger can return "foo.bar.co"; is that "foo.bar.com", or something longer? SAINT tries to figure this out, but obviously can't always be right.

Service

The Service field contains, in most cases, the basename of the probe which produced the record. This usually corresponds to the network service. The term basename refers to fact that most of the files corresponding to the individual probes have a ".saint" extension. When the probe name is written to the Service field, this extension is stripped off, and only the basename is written.

In the case of probes that check multiple services, such as rpcinfo or tcpscan, the name of the service being probed is used instead of the basename of the probe.

Status

Examining the Status field will, much as the name suggests, let you know the status of a certain probe. For instance, was a host reachable, did a probe timeout, etc. There are four codes that indicate the current status of a probe. These codes are:
  1. a: available
  2. u: unavailable (e.g. timeout)
  3. n: network (e.g. network or broadcast address)
  4. b: bad (e.g. unable to resolve)
  5. x: look into further?

Severity

If a vulnerability was found during a probe, the Severity field will tell you how serious the vulnerability is. Each severity level is represented by a particular two to four letter code. These codes are listed below:

Critical Problems (Red)

  1. rs : administrator or root shell access
  2. us : user shell access
  3. ns : unprivileged (nobody) shell access
  4. ur : user file read access
  5. uw : user file write access
  6. nr : unprivileged file read access
  7. nw : unprivileged file write access
  8. ht : evidence of a hacker track
  9. nfs : access to NFS filesystems
  10. dos : denial of service

Areas of Concern (Yellow)

  1. yus : user shell through X
  2. yi : information gathering

Potential Problems (Brown)

  1. zcio: check it out for possible vulnerabilies
  2. zwoi: do you want this acccessible on the Internet

Trustee and Trusted

These two fields will list the trustee and the trusted entities, respectively. The trustee is an entity which trusts the trusted entity. The trusted entity is the entity that is trusted by the trustee. The entries in these fields are comprised of two tokens, separated by the "at" sign ("@"). To the left of the "at" sign, you will see an entry which indicates the user or object. To the right of the "at" sign is the host. Either entry can be the word ANY. For example, consider the following Trustee field:
/home@target.com
This Trustee field would indicate that the /home directory on the host target.com trusts the trusted entity. That is, the trusted host(s) are allowed access to /home. Now suppose the same record contains the following Trusted field:
ANY@goodhost.com
This Trusted field would indicate that any user on goodhost.com is trusted. That is, any user on goodhost.com is allowed to access the /home directory on target.com. Now suppose that the Trusted field is:
ANY@ANY
Now any user on any host is trusted, meaning that anyone on the Internet is allowed access to /home on target.com. This fact could be very serious indeed.

Canonical Service Output

In the case of non-vulnerability records, this is a reformatted version of the output from the network service. In the case of vulnerability records, this is a description of the problem type. SAINT uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial.

Text

This field contains English messages which are displayed in the final report.

The "all-hosts" database

The all-hosts database keeps track of what hosts SAINT has seen, in any way, shape, or form, while scanning networks, including hosts that may or may not exist. Non-existant hosts might include, for instance, hosts reported from the output of the showmount command. The database is an ASCII file, with six fields separated by a pipe ("|") character. The fields are the following:
  • Hostname: The hostname of the host
  • IP address: The IP address of the host
  • Proximity Level: How many jumps away the host is from the original target(s).
  • Attack Level: The attack level at which the host was scanned. A negative number indicates that the host was not scanned.
  • Subnet Expansion: Whether or not subnet expansion was enabled, where 1 denotes yes and 0 denotes no
  • Time: The overall completion time of the scan against the host, if any, measured in UNIX internal time; that is, the number of seconds since January 1, 1970
See the SAINT configuration file documentation for more information on these variables and concepts.

The "todo" database

The todo database keeps track of what probes have already been done. This database contains text records, each containing the following three fields separated by a pipe ("|") character:

  • Hostname: The hostname of the targeted host
  • Probe name: The name of the probe which was run against the host
  • Arguments: The arguments with which the probe was run
The tools perform .saint probes against the hostname with the arguments, if any.

The "cve" database

The cve database keeps track of any vulnerabilities which were found which have a corresponding CVE name or are on the list of SANS Top 10 Internet Security Threats. This database contains text records, each containing the following three fields separated by a pipe ("|") character:

  • Top 10 flag: Whether or not the vulnerability is on the Top 10 list ("yes" or "no")
  • CVE name(s): The CVE name or names corresponding to the vulnerability, if any
  • Vulnerability Text: Corresponds to the text field in the facts database

    Back to the Reference TOC/Index