SAINT Documentation
SAINT Corporation
SAINT Home
--------

Extending SAINT

One of the best parts of SAINT is that it is so easy to modify, configure, and add your own probes and vulnerability checks to the system. All of the probes are files that end in .saint and are kept in the bin subdirectory. The rules which SAINT uses to infer vulnerabilities are in the rules directory. (See the section on saint rules for more information on the rulesets.)

SAINT tests for vulnerabilities are roughly done as follows:

  • SAINT first conducts the initial data collection. The actions in this phase are carried out by the ".saint" files we discussed earlier. Upon completion of the initial data collection, the results are written into a database, which is an ASCII text file. (See SAINT database.) The results of the initial data collection includes both informational and vulnerability data.
  • Next, SAINT will check the rulesets to determine whether or not it can infer other vulnerabilities from existing facts. For instance, if SAINT finds an old version of sendmail running on a system, SAINT can reasonably infer that the system will be vulnerable to certain sendmail exploits. If a new vulnerability can be inferred from the output of existing probes, it is not necessary to write a new probe to check for it. See rules/facts for information on modifying the rulesets.

Adding a SAINT Probe

If you would like to add a probe to SAINT, such as one that will check newer versions of sendmail for bugs, you must follow the steps outlined below:
  1. Create an executable that checks for the problem you'd like to scan for. It generally will take one or two arguments, the first being a hostname that is the target of the probe, and the second being the optional "FW", ".PLUS", or "FW.PLUS" arguments indicating a firewall environment, the heavyplus attack level, or both. Place the executable in the bin directory.
  2. Have the probe output a valid SAINT output record. See the SAINT database format document for more information on the SAINT output record format. Also have the probe output the string "BEGIN" on the first line. This is how SAINT knows that the probe successfully began running if there is no other output.
  3. If the probe is a C program or something that must be processed or compiled before being run, either modify the existing SAINT makefile to do so, or create your own.
  4. If the probe is run conditionally, add a rule to rules/todo which runs the probe. That is, if the probe should only be run against certain targets, such as targets running a particular service or operating system, then add a rule which specifies that the probe should be run under those conditions.
  5. Decide what attack level(s) it will be run at: light, normal, heavy, and/or heavyplus, and top 20 if the vulnerability is among the Top 20. Modify the appropriate variable(s) in the saint.cf file. If the probe is run conditionally as discussed above, then put a question mark after the name of the probe. Note that the heavy and heavyplus attack levels by default contain the "*?" entry, so it is not necessary to list each conditional probe at these levels.

Adding a Tutorial

If you decide to create your own probes, you will also probably want to create an information file to go along with it. We refer to these information files as tutorials. The tutorial should contain information such as an explanation of the vulnerability, how to fix or devise a workaround for the vulnerability, and pointers to any applicable CERT or vendor advisories. Look in the html/tutorials/vulnerabilities subdirectory for sample tutorials.

To ensure that SAINT will be able to provide a link to the tutorial, look at the seventh field (canonical service output) of the record which the tool outputs. (See the saint database for more details on database records.) The filename of the tutorials should be identical to this field, with underbars ("_") instead of spaces, and an ".html" suffix. For instance, for REXD, the canonical service output is "REXD access", so the filename is REXD_access.html. Place the tutorial in the html/tutorials/vulnerabilities directory.

And that's just how easy it is! After you have created your probe, be sure to place it in the ./bin subdirectory with the other SAINT probes, or have the makefile do so after processing the source code. Your probe will now be run against any target that has an attack level that corresponds to your new probe and, if necessary, which meets the conditions in the ruleset.

If you would like to disseminate your new probe, or any changes to existing probes or rulesets, to the world, feel free to send it to saint@wwdsi.com, and it will be considered for inclusion in the next version of SAINT. If you are submitting changes to existing files, it may be easiest to submit the output from the diff command to show what changes were made.

Back to the Reference TOC/Index