# Rules that specify what probes to try next. Each rule is applied once
# to every 'a' SAINT record. Format of this file is:
#
#	condition TABs target tool tool-arguments
#
# Empty lines and text after a "#" character are ignored. Long lines may
# be broken with backslash-newline.
#
# The condition is a PERL expression, with full access to the global
# $target..$text variables and to everything else that has been found out
# sofar. The target is the host that the tool is aimed at. A "*" before
# the tool argument list is a hack that specifies that tool arguments
# should be ignored when looking for duplicate tool invocations.
#
# When the condition is satisfied, the tool is executed as:
#
#	tool tool-arguments target
#
# The $junk variable is available for temporary results (wow!).
#
# The software keeps track of already executed tool invocations.
#
# version 2, Mon Mar 27 20:42:15 1995, last mod by wietse
#

#
# Output from the rpcinfo probe. Tools will be executed only when
# permitted by attack level constraints.
#
$service eq "mountd"			$target "showmount.saint"
$service eq "mountd"			$target "nfs-chk.saint" "-t $short_timeout"
$service eq "ypserv"			$target "ypbind.saint"
$service eq "rexd"			$target "rex.saint"
$service eq "rusersd"			$target "rusers.saint"
$service eq "rstatd"			$target "rstatd.saint"

#
# Output from the port scanners. Tools will be executed only when
# permitted by the attack level constraints.
#
$service eq "telnet"			$target "telnet.saint" "-x $extreme HOSTTYPE"
$service eq "ftp"			$target "ftp.saint"
$service eq "finger"			$target "finger.saint"
$untrusted_host && $service eq "shell"	$target "rsh.saint"
$untrusted_host && $service eq "shell"	$target "rsh.saint" "-u root"
$text =~ /offers login/			$target "rlogin.saint" "HOSTTYPE"
$service eq "tftp"			$target "tftp.saint"
$service =~ /X-([0-9]+)/		$target "xhost.saint" "-d $target:$1"
$text =~ /offers http /			$target "http.saint" "-x $extreme HOSTTYPE $service"
/WWW \(non-standard port (\S+)\)/	$target "http.saint" "-x $extreme HOSTTYPE $1"
$text =~ /offers (8[0128]{3}|32766):TCP/ \
					$target "http.saint" "-x $extreme HOSTTYPE $1"
$text =~ /offers gopher /		$target "gopher.saint" $service
$text =~ /offers 4224:TCP/		$target "xtell.saint"
/Gopher \(non-standard port (\S+)\)/	$target "gopher.saint" $1
$text =~ /offers domain /		$target "dns-chk.saint"
$service =~ /imap/			$target "imap.saint"
$service eq "smtp"			$target "sendmail.saint" $service
$untrusted_host && $service eq "smtp"	$target "relay.saint"
$text =~ /offers netbios/		$target "smb.saint"
$service eq "ssh"                	$target "ssh.saint"
$text =~ /offers snmp /			$target "snmp.saint"  "-w"
$text =~ /offers cim /			$target "cim.saint"
$text =~ /offers 1433:TCP/		$target "mssql.saint"
$service eq "nntp"                	$target "inn.saint" $service
$service eq "pop-3"			$target "pop3.saint"
/runs tooltalk/				$target "tooltalk.saint" HOSTTYPE
/runs cmsd/				$target "cmsd.saint" HOSTTYPE
/runs sadmind/				$target "sadmind.saint" HOSTTYPE
/runs statd/				$target "statd.saint" HOSTTYPE
/runs snmpxdmid/			$target "snmpxdmid.saint" HOSTTYPE
/runs yppasswdd/			$target "yppasswdd.saint" HOSTTYPE
/is a NIS client/			$target "ypbind-chk.saint" HOSTTYPE
/runs walld/				$target "walld.saint" HOSTTYPE
/runs cachefsd/				$target "cachefsd.saint" HOSTTYPE
$service eq "printer"			$target "printer.saint" HOSTTYPE
/ANONYMOUS/				$target "ftp_bounce.saint"

# If NMAP was used, check for smurf
# (use the network address so tests won't be repeated)
$service eq "nmap" && &get_network($target,$target_netmask)=~/^([\d\.]+)/\
					"$1/"	"smurf.saint" "-m \"$target_netmask\""

# Check for rootkits and open accounts
$service eq "telnet"			$target "login.saint" "-o -u root $service"
$service eq "telnet"			$target "login.saint" "-r -u wank -p wank $service"
$service eq "telnet"			$target "login.saint" "-r -u rewt -p satori $service"
$text =~ /identified login (\S+)/ && ($1 !~ /^(bin|sys|daemon)$/) && ($password_guesses >= 1)\
					$target "login.saint" "-o -u $1 telnet"
$text =~ /identified login (\S+)/ && ($1 !~ /^(bin|sys|daemon)$/) && ($password_guesses >= 2)\
					$target "login.saint" "-o -u $1 -p $1 telnet"
$text =~ /identified login (\S+)/ && ($1 !~ /^(bin|sys|daemon)$/) && ($password_guesses >= 3)\
					$target "login.saint" "-o -u $1 -p password telnet"
$text =~ /identified login (\S+)/ && ($1 !~ /^(bin|sys|daemon)$/) && ($password_guesses >= 4)\
					$target "login.saint" "-o -b -u $1 -p $1 telnet"
$text =~ /identified login (\S+)/ && ($1 !~ /^(bin|sys|daemon)$/) && ($password_guesses >= 5)\
					$target "login.saint" "-o -u $1 -p ${1}1 telnet"
$text =~ /identified login (\S+)/ && $untrusted_host\
					$target "rsh.saint" "-u $1"

#
# Output from showmount. The "*" at the beginning of the tool argument
# list is a hack that specifies that tool arguments should be ignored
# when looking for duplicate tool invocations.
#
$trustee =~ /\/export\/root\/(.*)@(.*)/ && ($junk = &fix_hostname($1,$2)) ne ""\
					$target "boot.saint" $junk

#
# Output from the bootparam probe gives us the NIS domain name. With
# ypwhich we can ask the host who its NIS server is.
#
$service eq "boot" && $service_output =~ /domain (\S+)/ \
					$target "ypbind.saint" "-d $1"
$service eq "boot" && $service_output =~ /domain (\S+)/ \
					$target "yp-chk.saint" "$1"
#
# Example of site specific rule; SGI's, for instance, have a "guest", "lp",
# and other account with no password when out-of-the-box from SGI.  Here's
# how you could check for this:
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u guest telnet"
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u lp telnet"
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u demos telnet"
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u EZsetup telnet"
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u OutOfBox telnet"
$untrusted_host && /IRIX/i		$target "login.saint" "-o -u 4Dgifts telnet"
# ZyXEL Prestige router default account
/220 .*FTP version 1\.0 ready at/	$target "login.saint" "-f -p 1234 ftp"

# Looking for unique Windows signature in netbios-ssn
/\\131\\000\\000\\001\\143/		$target "backdoors.saint"
/\\131\\000\\000\\001\\143/		$target "registry.saint" "-u \"$domain_user\" -p \"$domain_pass\""
/\\131\\000\\000\\001\\143/		$target "win_login.saint" "-g $password_guesses"
