|
Extending SAINT
One of the best parts of SAINT is that it is so easy to modify, configure,
and add your own probes and vulnerability checks to the system.
All of the probes are files that end in .saint and are kept
in the bin subdirectory. The rules which SAINT uses to infer
vulnerabilities
are in the rules directory. (See the section on
saint rules for more information on
the rulesets.)
SAINT tests for vulnerabilities are roughly done as follows:
- SAINT first conducts the initial data collection. The actions in this
phase are carried out by the ".saint" files we discussed earlier.
Upon completion of the initial data collection, the results are written
into a database, which is an ASCII text file. (See
SAINT database.) The results of the initial data collection includes
both informational and vulnerability data.
- Next, SAINT will check the rulesets to determine whether or not it can infer
other vulnerabilities from existing facts. For instance, if SAINT finds an old version of
sendmail running on a system, SAINT can reasonably infer that the
system will be vulnerable to certain sendmail exploits. If a new vulnerability
can be inferred from the output of existing probes, it is not necessary
to write a new probe to check for it. See rules/facts
for information on modifying the rulesets.
Adding a SAINT Probe
If you would like to add a probe to SAINT, such as one that will check newer
versions of sendmail for bugs, you must follow the steps outlined below:
- Create an executable that checks for the problem you'd like to scan
for. It generally will take one or two arguments, the first being a hostname
that is the target of the probe, and the second being the optional "FW", ".PLUS",
or "FW.PLUS" arguments
indicating a firewall environment, the heavyplus attack level, or both. Place the executable in the bin
directory.
- Have the probe output a valid SAINT output record. See the
SAINT database format document for more
information on the SAINT output record format. Also have the probe
output the string "BEGIN" on the first line. This is how SAINT knows
that the probe successfully began running if there is no other output.
- If the probe is a C program or something that must be processed or
compiled before being run, either modify the existing SAINT makefile to
do so, or create your own.
- If the probe is run conditionally, add a rule to
rules/todo which runs the probe. That is, if the probe should only
be run against certain targets, such as targets running a particular service
or operating system, then add a rule which specifies that the probe should
be run under those conditions.
- Decide what attack level(s) it will be run at: light,
normal, heavy, and/or heavyplus, and top 20
if the vulnerability is among the Top
20. Modify the appropriate
variable(s) in the saint.cf file.
If the probe is run conditionally as discussed above, then put a question
mark after the name of the probe. Note that the heavy and heavyplus
attack levels by default contain the "*?" entry, so it is not necessary
to list each conditional probe at these levels.
Adding a Tutorial
If you decide to create your own probes, you will also probably want
to create an information file to go along with it. We refer to these
information files as tutorials. The tutorial should contain
information such as an explanation of the vulnerability, how to
fix or devise a workaround for the vulnerability, and pointers to any
applicable CERT or vendor advisories.
Look in the html/tutorials/vulnerabilities subdirectory for
sample tutorials.
To ensure that SAINT will be able to provide a link to the tutorial,
look at the seventh field (canonical service output) of the record which the tool outputs. (See the
saint database for more details on
database records.)
The filename of the tutorials should be identical to this field, with underbars
("_") instead of spaces, and an ".html" suffix.
For instance, for REXD, the canonical service output is "REXD access", so
the filename is REXD_access.html.
Place the tutorial in the html/tutorials/vulnerabilities directory.
And that's just how easy it is! After you have created your probe, be
sure to place it in the ./bin subdirectory with the other SAINT
probes, or have the makefile do so after processing the source code.
Your probe will now be run against any target that has an attack level
that corresponds to your new probe and, if necessary, which meets the conditions in
the ruleset.
If you would like to disseminate your new probe, or any changes to
existing probes or rulesets, to the world, feel free to send it to
saint@saintcorporation.com, and it will be considered for
inclusion in the next version of SAINT. If you are submitting changes
to existing files, it may be easiest to submit the output from the diff command
to show what changes were made.
Back to the Reference TOC/Index
|