SAINT: A Security Analysis Integration Tool
Diego M. Zamboni
Computer Security Area
Direccio ´n General de Servicios de Co ´mputo Acade ´mico
Universidad Nacional Auto ´noma de Me ´xico
Apdo. Postal 20-059, 01000 Me ´xico D.F., Me ´xico
of Me ´xico that will allow integrated analysis of information gathered from various sources, such as secu-
rity tools and system logs. By simulating events occurring in the systems, and collected from the different
sources, SAINT will allow detection, or even prevention of problemsthat may otherwisego undetected due
to lack of informationaboutthem in any singleplace. SAINT’smodular and extensiblearchitecturemake it
feasible to add new modules for processing new data types, detecting new kinds of problems, or presenting
the results in different formats.
1Introduction — The Problem
the use of various security tools has been promoted as one of many ways of increasing Unix system security.
Until now, only freely available tools have been used, mainly because they cover most of the needs in this
particular academic and research environment.
The main set of tools used consists of COPS [FS90], TCP-Wrappers [Ven92], Passwd+ [Bis95], Crack
[Muf], TripWire [KS93, KS94a, KS94b] and SATAN [FV], although other tools (like Tiger [SSH93], S/Key
[Hal94, HA94] and the logdaemon suite [Ven]) are also used.
Experience has shown that, when need arises to diagnose a problem, the solution often comes after col-
lecting information from more than one source, including, but not restricted to, the tools mentioned above.
For example, to trace a suspicious su access to root, it may be necessary to match a wtmp record with a
sulog entry. To further trace it back to its origins, it may be necessary to match the wtmp record with a
TCP-Wrappers log entry, go to other systems and repeat the log analyzing and matching until all the needed
data is collected. The information is available, in many cases, but it is scattered all over several systems and
in different formats, and it has to be collected and analyzed manually to get something more useful than just
a collection of facts.
Therefore, the problem can be summarized in the following points:
To achieve acceptable levels of security, it is necessary—among many other things, of course— to use
several different tools, each one of them working in something specific (and, many times, even dupli-
Each one of these tools generates data on its own, and in different formats.
To have a more complete view of what is happening, the system and/or security administrator has to
read several reports and logs generated by the tools, often over a period of time.
The correlations and matching between related items in the different logs has to be done manually by
?Originally published in the Proceedings of the 1996 SANS (System Administration, Networking and Security) Conference, Wash-
ington D. C., May 12–18, 1996.
In Mexico (and other non-English speaking countries, for sure), the fact that all the generated informa-
tion is in English poses yet another problem. Although English is the lingua franca in computing, it is
still a barrier for people (including many Unix system administrators) using computers in Me ´xico.
This can, and does, lead to mis-utilization of the tools, which just sit there collecting mountains of data
that nobody never uses. Recently, some tools have been released that allow easier viewing of generated data
(most notably CIAC’s Merlin[CIA]), but the problemstill remains of making an understandablewhole of the
seemingly chaotic set of reports and log files.
That is why SAINT’s idea was born: to make a system that allows integrated analysis of data collected
from various sources, and tries to extract interesting information to be presented to the administrator in an
easy to read format.
ThispaperpresentsthedesignofSAINT,which isstillunderdevelopmentatUNAM’s ComputerSecurity
2 Related work
Log file analysis is not new. In fact, it has been used for many years. In the simpler end, there are tools like
searching for certain patterns and doing something when they are found. These tools are useful for looking
for very specific things, but since the search they perform is essentially stateless, their usefulness is restricted
to looking for specific things that may indicate problems.
HCMM92], which uses a rule-basedlanguage (called RUSSEL) to process audit trails generatedby a number
of systems. In a distributed environment, ASAX runs local “evaluator” processes on each monitored host,
which submit their local results to a master server, which in turn processes the consolidated data. Although
the modelisgeneralenoughtobe portedtoanytypeofsystem,the currentimplementationisorientedtowards
SunOS 4.1 with C2 security features, and uses PVM [GBD
ASAX is a very powerful package, and its rule-base analysis makes it able to detect complex event se-
quences that may indicate problems. However, its same complexity makes it difficult to use in a very het-
erogeneous environment like ours. The recommended (C2) audit mechanisms are not in place in most of our
systems, and compiling ASAX in very different versions of Unix proved difficult.
94] as the communication mechanism between
3 What is SAINT?
SAINT provides the framework for performing the following functions:
1. Cross-analysisof reportsand logs generatedby various security tools, as well as systemlogs, in several
Unix systems. The goal is trying to detect things (or sequences or patterns of things) that may indicate
problems of any kind.
2. If it is possible, obtain information about likely causes of detected problems.
3. Warning generation when appropriate (the most clear case would be when a flagrant security problem
is detected, but there are many other situations where opportune notifications are very useful).
4. If possible, suggest available solutions to detected problems.
5. In its first version, presentation of all the results in Spanish.
The main goals when designing SAINT were:
Make it extensible. It should be easy to add new modules to the system, to make it aware of new kinds of
available information (for example, a new tool), or to modify or improve its analysis capabilities.
More information about UNAM’s Computer Security Area can be found at http://www.super.unam.mx/asc/
[FS90] Daniel Farmer and Eugene H. Spafford. The COPS security checker system. In Proceedings of
the Summer 1990 Usenix Conference, pages 165–170. Usenix, June 1990. Available at http:
[FV] Dan Farmer and Wietse Venema. SATAN documentation (Security Administrator Tool for An-
alyzing Networks). Included in the SATAN package distribution, available at ftp://ftp.
94] Al Geist, Adam Beguelin, Jack Dongarra, Weicheng Jiang, Robert Manchek, and Vaidy Sun-
deram. PVM 3 user’s guide and reference manual. Manual ORNL/TM-12187, Engineering
Physics and Mathematics Division, Mathematical Sciences Section, Oak Ridge National Labo-
ratory, September 1994. Available at http://www.netlib.org/pvm3/ug.ps.
[HA92] Stephen E. Hansen and E. Todd Atkins. Centralized system monitoring with Swatch. In Pro-
ceedings of the 3rd UNIX Security Symposium, pages 105–117. Usenix, September 1992.
[HA93] Stephen E. Hansen and E. Todd Atkins. Automated system monitoring and notification with
swatch. In Proceedings of the LISA VII Systems Administration Conference, pages 145–155.
[HA94] N. Haller and R. Atkinson. On Internet authentication. RFC 1704, Network Working Group,
October 1994. Available at ftp://nic.ddn.mil/rfc/rfc1704.txt.
[Hal94] Neil Haller. The S/KEY one-time password system. In Proceedings of the ISOC Symposium on
[HCMM92] Naji Habra, Baudouin Le Charlier, Abdelaziz Mounji, and Isabelle Mathieu.
ware architecture and rule-based language for universal audit trail analysis. In Proceedings
of ESORICS ’92: European Symposium on Research in Computer Security. Springer-Verlag,
November 1992. Available in the ASAX distribution at ftp://coast.cs.purdue.edu/
[Hug]Doug Hughes. TkLogger. Program available at ftp://coast.cs.purdue.edu/pub/
[KS93] GeneH.KimandEugeneH.Spafford. Thedesignofasystemintegritymonitor: Tripwire. Tech-
nical Report CSD-TR-93-071, COAST Laboratory, Department of Computer Sciences, Purdue
University, West Lafayette, IN 47907-1398, November1993. Availableat http://www.cs.
[KS94a] Gene H. Kim and Eugene H. Spafford. Experiences with Tripwire: Using integrity checkers
for intrusion detection. Technical Report CSD-TR-94-012, COAST Laboratory, Department of
Computer Sciences, Purdue University, West Lafayette, IN 47907-1398, February 1994. Avail-
able at http://www.cs.purdue.edu/homes/spaf/tech-reps/9412.ps.
[KS94b]Gene H. Kim and Eugene H. Spafford. Writing, supporting, and evaluating Tripwire: A pub-
lically available security tool. Technical Report CSD-TR-94-019, COAST Laboratory, Depart-
ment of Computer Sciences, Purdue University, West Lafayette, IN 47907-1398, March 1994.
Available at http://www.cs.purdue.edu/homes/spaf/tech-reps/9419.ps.
[KS94c]Sandeep Kumar and Eugene H. Spafford. An application of pattern matching in intrusion de-
tection. Technical Report CSD-TR-94-013, COAST Laboratory, Department of Computer Sci-
ences, Purdue University, West Lafayette, IN 47907-1398, June 1994. Available at http://
[KS95]Sandeep Kumar and Eugene H. Spafford. A software architecture to support misuse intrusion
detection. Technical Report CSD-TR-95-009, COAST Laboratory, Department of Computer
Sciences, Purdue University, West Lafayette, IN 47907-1398, March 1995. Available at http:
[Kum95]Sandeep Kumar. Classification and Detection of Computer Intrusions. PhD thesis, Purdue
University, August 1995. Available at ftp://coast.cs.purdue.edu/pub/COAST/
[MCZH95] AbdelazizMounji, BaudouinLe Charlier, DenisZampunie ´ris, andNaji Habra. Distributedaudit
trail analysis. In Proceedings of the ISOC 95 Symposium on Network and Distributed System
Security, 1995. Available in the ASAX distribution at ftp://coast.cs.purdue.edu/
[Muf] Alec D.E. Muffet. Crack Version 4.1: A Sensible PasswordChecker for Unix. Manual included
inthe distributionof Crack,availableatftp://ftp.super.unam.mx/pub/security/
[SSH93] Dave Safford, Douglas Lee Schales, and David K. Hess. The TAMU security package: An on-
going response to internet intruders in an academic environment. In Proceedings of the Fourth
USENIX UNIX Security Symposium, pages 91–118. Usenix, October 1993. Program available
[Ven] Wietse Venema. Logdaemon package. Program and documentation available at ftp://ftp.
[Ven92] Wietse Venema.
In Proceedings of the 3rd UNIX Security Symposium, pages 85–92. Usenix, September
1992. Program available at ftp://ftp.super.unam.mx/pub/security/tools/
TCP Wrapper: Network monitoring, access control, and booby traps.
[Wal] Larry Wall. Perl5 documentation. Included in the Perl5 package, available at ftp://ftp.
[WS92]LarryWallandRandalL.Schwartz. ProgrammingPerl. O’Reilly&Associates,Inc.,103Morris
Street, Suite A, Sebastopol, CA 95472, first edition, March 1992.