SAINT Documentation
WWDSI
SAINT Home
--------

Analyzing SAINT output

Learning how to effectively interpret the results of a SAINT scan is the most difficult part about using SAINT. This is partly because there is no "correct" security level. "Good" security is very much dependent on the policies and concerns of the site or system involved.

In addition, some of the concepts used in SAINT (such as why trust and network information can be so damaging) and many of the options that can be chosen (like proximity, proximity descent, attack filters, etc.) will not be very familiar to many system administrators. It is important to read and understand the documentation to use the tool effectively.

From the control panel in the HTML interface, select Data Analysis. You will then be prompted with a wealth of choices; when first learning to use the tool, the Vulnerabilities section will probably be the one of the most immediate interest. In that section, the By Approximate Danger Level link is a good place to start. If a vulnerability is found, SAINT will provide links to sources of information about that vulnerability and how to fix it. If no vulnerabilities are found, congratulations! Note that this does NOT mean that your host is secure - it simply means that SAINT could not find any problems. You might try scanning your targets at a higher level and check this again. In any case, you should investigate the other categories (Hosts and Trust) in the reporting page.

While viewing the reports, you will notice that some hosts are listed with a red dot next to them (RED). This red dot signifies that the host has critical problems, or harbors a serious vulnerability or vulnerabilities that could very well lead to it being compromised by a malicious user. Hosts listed with red dots require immediate action.

Other hosts, you will notice, will have a yellow dot next to them (YELLOW). The yellow dot tells you that the machine has one or more areas of concern. In other words, the machine might host one or more services that may be exploited by a hacker to gather information that could assist an attack. Any vulnerability found on this machine should be addressed as soon as possible.

Upon further examination of the single machine scan report, you may notice some hosts are listed with a brown dot next to them (BROWN). This brown dot signifies that the machine has potential vulnerabilities. These vulnerabilities may or may not require action, depending upon the version, patch level, and/or configuration of the services, or upon the local security policy.

And finally, you will notice that a few hosts are listed with a green dot (GREEN). Green dots are simply an indication that a machine is hosting certain services (such as FTP, HTTP, etc.), and listed services are included for information purposes only.

The best way to learn what SAINT can do for you is by using it - scanning networks and examining the results with the Report and Analysis tools can reveal interesting things about your network. Remember, anyone has access to this informtion, so act accordingly!

Reading, or at least browsing through the full documentation is strongly recommended - this tutorial merely covered the very basic capabilities of SAINT. There are a wealth of possible options that can be used to unleash SAINT's full potential. Be careful, however, because it is easy to unwittingly make your neighbors think that you're trying to attack them with any scans that you run - always be certain that you have permission to scan any potential hosts that you're thinking of testing.

Back to the SAINT Documentation Index