![[SATAN IMAGE]](../images/satan.gif)
SATAN Database Format
There are three main databases in SATAN:
The "facts" database
All information is in the form of text records with attributes
described below; there are seven fields, each separated by a pipe
("|") character.
This information is what is collected by SATAN's dumb data collection
tools - no intelligence used, they just do what they're told to do.
Inferences and conclusions are in the same format; the fields are:
- Target
- Service
- Status
- Severity
- Trusted
- Trustee
- Canonical Service Output
- Text
Target
Name of host that the record refers to. In order of preference,
it uses FQDN, IP, estimated, or partial. Partial can result from
service output getting truncated; e.g. finger can return
"foo.bar.co"; is that "foo.bar.com", or something
longer? SATAN tries to figure this out, but obviously can't always be
right.
Service
The basename of tool, with the ".satan" suffix removed.
In the case of tools that probe multiple services (such as
rpcinfo or the portscanner), the name of the service being
probed.
Status
This tells us if the host was reachable, if it timed out, or whatever.
The codes and what they mean are:
- a: available
- u: unavailable (e.g. timeout)
- b: bad (e.g. unable to resolve)
- x: look into further?
Severity
How serious was the vulnerability? The codes are:
- rs: host or root access to the target.
- us: user shell access
- ns: nobody shell access
- uw: user file write
- nr: nobody file read
Trustee
This is who trusts another target. It is denoted by two tokens separated
by an at sign ("@"). The left part is the user :
- user: a particular user on the host is trusted
- root: only root is trusted
- nobody: user nobody on the host is trusted
- ANY: any arbitrary user on the host is trusted
The right part of the trust field is the host that is trusted - it is
either the target or ANY, which refers to any host on
the Internet.
Trusted
This is who is the trustee trusts. It is denoted by two tokens
separated by an at sign ("@"), and it uses the same format the
the "trustee" field.
Canonical Service Output
In the case of non-vulnerability records,
this is a reformatted version of the network service; the format is
either "user name, home dir, last login" or
"filesys, clients".
In the case of vulnerability records, this is a description of the
problem type. SATAN uses this name in reports by vulnerability type,
and uses it to locate the corresponding vulnerability tutorial.
Text
This is a place to put english (or other languages)-like messages
that can be outputted in the final report.
"all-hosts" - all the hosts seen database
The all-hosts database keeps track of what hosts SATAN has seen, in
any way, shape, or form, while scanning networks, including hosts that
may or may not exist. (Non-existant hosts might include, for instance,
hosts reported from the output of the showmount command.
The database is an ASCII file, with six (6) fields separated by a
pipe ("|") character, whose attributes are:
- IP address of the host
- The proximity level from the original target
- The attack level the host has been probed with
- Was subnet expansion on? (1 = yes, 0 = no)
- What time was the scan done?
(See the SATAN configuration file documentation
for more information on these variables and concepts.)
"todo" - database that tracks probes already done
The todo database keeps track of what probes have already been done.
It's in the form of text records with attributes described below;
there are three fields, each separated by a pipe ("|") character:
- The hostname
- The name of the tool that is to be run next
- Any arguments for the tool
The tools perform .satan probes against the hostname with
the arguments, if any.
Back to the Reference TOC/Index