SAINT Database Format
Data gathered and inferred during SAINT sessions is stored in databases. Databases are stored in the results directory. Current databases are stored in sub-directories named after the session names. Archived databases are stored under the current databases in a directory called archive. Each archived database is stored in a separate directory named by the Unix time (that is, the number of seconds since the start of the year 1970) that the scan completed.
Each database contains four tables: all-hosts, todo, facts, and cve. The tables are each plain text files where each line corresponds to one record. Fields are separated by the pipe character ("|"). Data directories may also contain a fifth file called exclusions which is a table of facts to exclude, but this file could be saved elsewhere and does not necessarily need to be in the data directory.
facts
The facts file keeps track of all vulnerabilities detected, services offered, and any other information SAINT is able to collect throughout the scan. All information found in the facts database is in the form of text records. In each record are eight or nine fields, each separated by a pipe ("|") character. The inferences and conclusions found in this database are always in the same format.
The fields in the facts database are as follows:
- Target
- Service
- Status
- Severity
- Trusted
- Trustee
- Canonical Service Output
- Text
- Technical Details (optional)
Target
The Target field contains the name of the host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated. For example, finger can return "foo.bar.co"; is that "foo.bar.com", or something longer? SAINT tries to figure this out, but obviously can't always be right.
Service
The Service field contains, in most cases, the basename of the probe which produced the record. This usually corresponds to the network service. The term basename refers to fact that most of the files corresponding to the individual probes have a ".saint" extension. When the probe name is written to the Service field, this extension is stripped off, and only the basename is written.
In the case of probes that check multiple services, such as rpcinfo or tcpscan, the name of the service being probed is used instead of the basename of the probe.
Status
Examining the Status field will, much as the name suggests, let you know the status of a certain probe. For instance, was a host reachable, did a probe timeout, etc. The codes that indicate the current status of the probe follow:
|
a
|
|
available |
|
u
|
|
unavailable(e.g., timeout |
|
n
|
|
network (e.g., network or broadcast address) |
|
b
|
|
bad(e.g., unable to resolve) |
|
x
|
|
look into further? |
Severity
The Severity field distinguishes informational facts, service facts, and vulnerability facts. If a vulnerability was found during a probe, the Severity field will tell you how serious the vulnerability is. Each severity level is represented by a particular two to four letter code. These codes are listed below:
Critical Problems (Red) –
|
rs
|
|
administrator or root shell access |
|
us
|
|
user shell access |
|
ns
|
|
unprivileged (nobody)shell access |
|
ur
|
|
user file read access |
|
uw
|
|
user file write access |
|
nr
|
|
unprivileged file read access |
|
nw
|
|
unprivileged file write access |
|
ht
|
|
evidence of penetration (hacker track) |
|
bo
|
|
root acces via buffer overflow |
|
nfs
|
|
access to NFS filesystems |
|
dos
|
|
denial of service |
Areas of Concern (Yellow) –
|
yus
|
|
unlimited X server access |
|
yi
|
|
information gathering |
|
ype
|
|
privilege elevation |
|
ycs
|
|
use as an intermediary (cross-site) |
|
ymc
|
|
susceptibility to malicious content |
|
ysb
|
|
security bypass |
|
ydos
|
|
authenticated denial of service |
Potential Problems (Brown) –
|
zcio
|
|
check it out for possible vulnerabilities |
|
zwoi
|
|
do you want this accessible on the Internet? |
|
zp
|
|
poor security policy |
|
zdos
|
|
possible denial of service |
Others (Not Vulnerabilities) –
|
g
|
|
Services(green) |
|
i
|
|
Information |
If the severity code for a red, yellow, or brown vulnerability is capitalized, then the vulnerability is confirmed. If the severity code is lowercase, then the vulnerability is inferred. See confirmed vs. inferred vulnerabilities for more information.
Trustee and Trusted
These two fields will list the trustee and the trusted entities, respectively. The trustee is an entity which trusts the trusted entity. The trusted entity is the entity that is trusted by the trustee. The entries in these fields are comprised of two tokens, separated by the "at" sign ("@"). To the left of the "at" sign, you will see an entry which indicates the user or object. To the right of the "at" sign is the host. Either entry can be the word ANY. For example, consider the following Trustee field:
/home@target.com
This Trustee field would indicate that the /home directory on the host target.com trusts the trusted entity. That is, the trusted host(s) are allowed access to /home. Now suppose the same record contains the following Trusted field:
ANY@goodhost.com
This Trusted field would indicate that any user on goodhost.com is trusted. That is, any user on goodhost.com is allowed to access the /home directory on target.com. Now suppose that the Trusted field is:
ANY@ANY
Now any user on any host is trusted, meaning that anyone on the Internet is allowed access to /home on target.com. This fact could be very serious indeed.
Canonical Service Output
In the case of non-vulnerability records, this is a reformatted version of the output from the network service. In the case of vulnerability records, this is a description of the problem type. SAINT uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial.
Text
This field contains English messages which are displayed in the final report.
Technical Details
This field contains technical details about the vulnerability check, usually including data that was sent or received or a brief description of how the vulnerability was detected.
all-hosts
The all-hosts file keeps track of what hosts SAINT has seen, in any way, shape, or form, while scanning networks, including hosts that may or may not exist. Non-existent hosts might include, for instance, hosts reported from the output of the showmount command. The database is an ASCII file, with fields separated by a pipe ("|") character. The fields follow:
- Hostname: The hostname of the host
- IP address: The IP address of the host
- Proximity Level: How many jumps away the host is from the original target(s).
- Attack Level: The attack level at which the host was scanned. A negative number indicates that the host was not scanned.
- Subnet Expansion: Whether or not subnet expansion was enabled, where 1 denotes yes and 0 denotes no
- Time: The overall completion time of the scan against the host, if any, measured in Unix internal time; that is, the number of seconds since January 1, 1970
- Version: The SAINT version number which was in place when the host was last scanned
- MAC Address: The Media Access Control (MAC) address of the host, if known (The MAC address can only be determined for hosts which are on the same network segment as the host running SAINT.)
- System Class: The host's general system type, such as Windows or Linux.
- System Type: The host's specific operating system, including the version number or service pack level, if known.
See Configuration for more information on these variables and concepts.
todo
The todo database keeps track of what probes have already been done. This database contains text records, each containing the following three fields separated by a pipe ("|") character:
- Hostname: The hostname of the targeted host
- Probe name: The name of the probe which was run against the host
- Arguments: The arguments with which the probe was run
The tools perform .saint probes against the hostname with the arguments, if any.
cve
The cve file keeps track of any vulnerabilities which were found which have a corresponding CVE name, DOD-CERT Information Assurance Vulnerability Alert (IAVA) number, or any other index number, or are on the list of SANS Top 20 Internet Security Vulnerabilities. This database contains text records, each containing the following fields separated by a pipe ("|") character:
- Top 20 flag: Whether or not the vulnerability is on the Top 20 list ("yes" or "no")
- CVE name(s): The CVE name or names corresponding to the vulnerability, if any
- Vulnerability Text: Corresponds to the text field in the facts database
- IAVA number(s): The DOD-CERT IAVA number(s) corresponding to the vulnerability, if any
- Other index: Any other standardized index number, besides CVE and IAVA, that may be associated with the vulnerability (This field is empty unless a user-defined index has been added to rules/cve.)
- Check ID: The SAINT check ID which detected the vulnerability (see Vulnerability ID Format)
- BID number(s): The BID number or numbers corresponding to the vulnerability, if any
- OSVDB number(s): The OSVDB number or numbers corresponding to the vulnerability, if any
- NSID number(s): The Nessus script ID number or numbers corresponding to the vulnerability, if any
- CPE(s): The CPE (Common Platform Enumeration) entries corresponding to the vulnerability, if any