![]() |
||||
|
SAINT RulesetsWhile not as potentially dangerous as the SAINT configuration file, the collection of files that make up SAINT's internal rules are also an important part of the SAINT system. All inferencing is done here. This is how SAINT determines, for instance, what the target's OS and hardware type is from the other data collected in the system. Generally speaking, the rule files determine:
The rules are written using standard SAINT operators and regular expressions. See a PERL manual or the examples below if you are unfamiliar with PERL. There are seven rule files, each governing a separate part of SAINT's behavior:
The rule format is: condition TAB [yes|no] TAB number(s)Each condition is applied to the text field of each vulnerability record. If there is a match, then the corresponding CVE number or numbers, if present, are assigned to the vulnerability. If a record does not match any of the conditions in rules/cve, then no CVE number is associated with the vulnerability. The second field indicates whether or not the vulnerability is one of the SANS Top 10 Internet Security Threats. The word "yes" in this field indicates that the vulnerability is on the list. For instance, CVE 1999-0002 corresponds to the vulnerability in mountd, which is on the Top 10 list. SAINT outputs the string "mountd may be vulnerable" when it finds this vulnerability. Therefore, the rule is: /mountd may be vulnerable/i yes 1999-0002 rules/dropThe rules/drop file contains rules that determine what facts should be ignored. Each rule is applied once for each SAINT record that has an "a" in the status field, meaning the host is available. (See the SAINT Data Base Format section.)For instance, SAINT assumes that CD-ROM drives are not harmful for export purposes; if we see a target host that exports /cdrom or /CDROM, we assume it's harmless by telling SAINT to ignore this fact: $text =~ /exports \/cdrom/iThe $text variable holds the output of the SAINT probe, showmount.saint. In this case, any of the global SAINT variables could be used.
The rule format is: condition TAB fact(Note: TAB is the tab character, not the three letters "T", "A", and "B".) For example, if we want to assume that if a host is running rexd it is insecure without trying to probe it further, we would put: /runs rexd/ $target|rexd|a|us|ANY@$target|ANY@ANY|REXD access|rexd vulnerableThe most difficult thing with the rules/facts file is that you have to understand the SAINT data base format. A good way to understand that better is to merely look at any of the .saint files in the bin directory and look to see what the probe does and what it outputs.
The format of this file is: CLASS class_name condition TAB hosttype(Note: the TAB is the tab character, not the three letters "T", "A", and "B".) The class_name is used for the first rough breakdown by host type in reports. It should be a major software category, such as SUN, APOLLO, etc. For example, here is the code for recognizing a SUN and its major OS revision: CLASS SUN UNKNOWN && /SunOS/ "SunOS 4" /4.1\/SMI-4.1/ "SunOS 4" /SMI-SVR4/ "SunOS 5"
While the code above may look fairly complex, it isn't really. Simply
study the examples, and then modify the code in the
examples to create your own rules.
The format of this file is: class_name condition TAB service_name TAB hostIf host is omitted, the host in the target field of the fact is implied. The class_name is one of the following:
$service eq "nntp" NNTP (Usenet news)
The format of this file is: condition TAB target tool tool-arguments(Note: the TAB is the tab character, not the three letters "T", "A", and "B".) The condition is a logical expression, with the usual internal SAINT variables, that has to be satisfied in order for SAINT to run the probe specified. When the condition is satisfied, and the tool is allowed to be run conditionally at the current attack level (see SAINT Configuration), the tool is executed as: tool tool-arguments targetSAINT keeps track of which tools have already been executed against which targets. For instance, if a host is running ypserv, we would typically run the ypbind.saint probe against it. This would be done as follows: $service eq "ypserv" $target "ypbind.saint" It's easy to put in a probe that depends on the type of system that you're looking at. For instance, SGI/IRIX hosts have guest, lp, and other accounts with no password when taken out-of-the-box from SGI. Here's how you could check to see if this is a problem: /IRIX/ $target "rsh.saint" "-u guest"This rule would tell SAINT to run rsh.saint against every IRIX target. The "-u guest" argument tells rsh.saint to do an rsh as user guest to see if commands can be executed remotely. SAINT would then record this fact in the results. rules/trustSimilar to the host and service type rules, SAINT uses the trust rules to translate the cryptic SAINT record data to something that is more suitable for reports. Again, each rule is executed once for each SAINT record that has an "a" in the status field. (See the SAINT database format section.)The format of this file is: condition TAB name of relationshipWith the currrent rules/trust file, SAINT only begins to scratch the surface. It handles only the most easily detected forms of trust: $severity eq "l" remote login $text =~ /exports \S+ to/ file sharing $text =~ / mounts \S+/ file sharing |