SATAN Database Format


All information is in the form of text records with attributes described below; there are seven fields, each separated by a pipe ("|") character.

This information is what is collected by SATAN's dumb data collection tools - no intelligence used, they just do what they're told to do.

Inferences and conclusions are in the same format; the fields are:

  1. Target
  2. Service
  3. Status
  4. Severity
  5. Trusted
  6. Trustee
  7. Canonical Service Output
  8. Text

Fields

  1. Target Name of host that the record refers to. In order of preference, it uses FQDN, IP, estimated, or partial. Partial can result from service output getting truncated; e.g. finger can return "foo.bar.co"; is that "foo.bar.com", or something longer? SATAN tries to figure this out, but obviously can't always be right.

  2. Service The basename of tool, with the ".satan" suffix removed. In the case of tools that probe multiple services (such as rpcinfo or the portscanner), the name of the service being probed.

  3. Status This tells us if the host was reachable, if it timed out, or whatever. The codes and what they mean are:
      a: available u: unavailable (e.g. timeout) b: bad (e.g. unable to resolve) x: look into further?

  4. Severity How serious was the vulnerability? The codes are:
    1. rs: host or root access to the target.
    2. us: user shell access
    3. ns: nobody shell access
    4. uw: user file write
    5. nr: nobody file read

  5. Trustee This is who trusts another target. It is denoted by two tokens separated by an at sign ("@"). The left part is the user :
    1. user: a particular user on the host is trusted
    2. root: only root is trusted
    3. nobody: user nobody on the host is trusted
    4. ANY: any arbitrary user on the host is trusted
    The right part of the trust field is the host that is trusted - it is either the target or ANY, which refers to any host on the Internet.

  6. Trusted This is who is the trustee trusts. It is denoted by two tokens separated by an at sign ("@"), and it uses the same format the the "trustee" field.

  7. Canonical Service Output In the case of non-vulnerability records, this is a reformatted version of the network service; the format is either "user name, home dir, last login" or "filesys, clients". In the case of vulnerability records, this is a description of the problem type. SATAN uses this name in reports by vulnerability type, and uses it to locate the corresponding vulnerability tutorial.

  8. Text This is a place to put english (or other languages)-like messages that can be outputted in the final report.