There are three main databases in SAINT™:

The "facts" database

All information is in the form of text records with attributes described below; there are seven fields, each separated by a pipe ("|") character.

This information is what is collected by SAINT's dumb data collection tools - no intelligence used, they just do what they're told to do.

Inferences and conclusions are in the same format; the fields are:

    1. Target
    2. Service
    3. Status
    4. Severity
    5. Trusted
    6. Trustee
    7. Canonical Service Output
    8. Text

Target

Name of host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated; e.g. finger can return "foo.bar.co"; is that "foo.bar.com", or something longer? SAINT tries to figure this out, but obviously can't always be right.

Service

The basename of tool, with the ".saint" suffix removed. In the case of tools that probe multiple services (such as rpcinfo or the portscanner), the name of the service being probed.

Status

This tells us if the host was reachable, if it timed out, or whatever. The codes and what they mean are:

    1. a: available
    2. u: unavailable (e.g. timeout)
    3. b: bad (e.g. unable to resolve)
    4. x: look into further?

Severity

How serious was the vulnerability? The codes are:

Critical Problems

    1. rs : host or root access to the target.
    2. ns : nobody shell access
    3. ur : user file read
    4. uw : user file write
    5. nr : nobody file read
    6. nw : nobody file write
    7. ht : evidence of a hacker track

Areas of Concern

    1. ynis: password guessing through NIS
    2. yus : user shell through X

Potential Problems

    1. zcio: check it out for possible vulnerabilies
    2. zwoi: do you want this acccessable on the Internet

Trustee

This is who trusts another target. It is denoted by two tokens separated by an at sign ("@"). The left part is the user :

    1. user: a particular user on the host is trusted
    2. root: only root is trusted
    3. nobody: user nobody on the host is trusted
    4. ANY: any arbitrary user on the host is trusted

The right part of the trust field is the host that is trusted - it is either the target or ANY, which refers to any host on the Internet.

Trusted This is who is the trustee trusts. It is denoted by two tokens separated by an at sign ("@"), and it uses the same format the the "trustee" field.

Canonical Service Output

In the case of non-vulnerability records, this is a reformatted version of the network service; the format is either "user name, home dir, last login" or "filesys, clients". In the case of vulnerability records, this is a description of the problem type. SAINT uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial.

Text

This is a place to put english (or other languages)-like messages that can be outputted in the final report.

"all-hosts" - all the hosts seen database

The all-hosts database keeps track of what hosts SAINT has seen, in any way, shape, or form, while scanning networks, including hosts that may or may not exist. (Non-existant hosts might include, for instance, hosts reported from the output of the showmount command. The database is an ASCII file, with six (6) fields separated by a pipe ("|") character, whose attributes are:

(See the SAINT™ configuration file documentation for more information on these variables and concepts.)

"todo" - database that tracks probes already done

The todo database keeps track of what probes have already been done. It's in the form of text records with attributes described below; there are three fields, each separated by a pipe ("|") character:

The tools perform .saint probes against the hostname with the arguments, if any.