![]() |
||||
|
SAINT Database FormatThere are three main databases in SAINT: The "facts" databaseThe facts database keeps track of all vulnerabilities detected, services offered, and any other information SAINT is able to collect throughout the scan. All information found in the facts database is in the form of text records. In each record are eight fields, each separated by a pipe ("|") character. The inferences and conclusions found in this database are always in the same format.The fields in the facts database are: TargetThe Target field contains the name of the host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated. For example, finger can return "foo.bar.co"; is that "foo.bar.com", or something longer? SAINT tries to figure this out, but obviously can't always be right.ServiceThe Service field contains, in most cases, the basename of the probe which produced the record. This usually corresponds to the network service. The term basename refers to fact that most of the files corresponding to the individual probes have a ".saint" extension. When the probe name is written to the Service field, this extension is stripped off, and only the basename is written.
In the case of probes that check multiple services, such as
rpcinfo or tcpscan, the name of the service being
probed is used instead of the basename of the probe.
SeverityIf a vulnerability was found during a probe, the Severity field will tell you how serious the vulnerability is. Each severity level is represented by a particular two to four letter code. These codes are listed below:Critical Problems (Red)
Areas of Concern (Yellow)
Potential Problems (Brown)
Trustee and TrustedThese two fields will list the trustee and the trusted entities, respectively. The trustee is an entity which trusts the trusted entity. The trusted entity is the entity that is trusted by the trustee. The entries in these fields are comprised of two tokens, separated by the "at" sign ("@"). To the left of the "at" sign, you will see an entry which indicates the user or object. To the right of the "at" sign is the host. Either entry can be the word ANY. For example, consider the following Trustee field:/home@target.comThis Trustee field would indicate that the /home directory on the host target.com trusts the trusted entity. That is, the trusted host(s) are allowed access to /home. Now suppose the same record contains the following Trusted field: ANY@goodhost.comThis Trusted field would indicate that any user on goodhost.com is trusted. That is, any user on goodhost.com is allowed to access the /home directory on target.com. Now suppose that the Trusted field is: ANY@ANYNow any user on any host is trusted, meaning that anyone on the Internet is allowed access to /home on target.com. This fact could be very serious indeed. Canonical Service OutputIn the case of non-vulnerability records, this is a reformatted version of the output from the network service. In the case of vulnerability records, this is a description of the problem type. SAINT uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial.TextThis field contains English messages which are displayed in the final report.The "all-hosts" databaseThe all-hosts database keeps track of what hosts SAINT has seen, in any way, shape, or form, while scanning networks, including hosts that may or may not exist. Non-existant hosts might include, for instance, hosts reported from the output of the showmount command. The database is an ASCII file, with six fields separated by a pipe ("|") character. The fields are the following:
The "todo" databaseThe todo database keeps track of what probes have already been done. This database contains text records, each containing the following three fields separated by a pipe ("|") character:
|