Form parameters for IP address scanning

The syntax for creating parameters is derived from the fields returned by the Shazzam probe when conducting a Discovery for IP addresses.

Parameters for CIs and applications are formed in the same way. The Shazzam probe creates an XML file containing the following fields:
  • name
  • port
  • portprobe
  • protocol
  • result
  • service
Note: Optional fields that can be used to form parameters appear as child tags beneath the default fields. Example of these are the sysDescr and banner_text fields.

Parameters are expressed in the form of <portprobe.service.field>. The value for field can come from any of the fields or child tags in the XML file. For example, the following parameters classify a device as a UNIX server and detect an installation of MySQL:

ssh.ssh.result

mysql.mysql.result

These parameters were derived from the values in the following XML file generated by a Shazzam probe conducting an IP Scan. The result field returned a value of open for ports 22 and 3306 on the target device. The service field indicates the services that normally communicate over those ports.
Figure 1. Discovery XML Parameters
The sysDescr field can provide additional information about devices, depending upon the manufacturer. This XML file from the Shazzam probe reveals the following about port 161 on the device at IP 10.10.11.149:
Figure 2. Discovery XML Parameters 2

In the classification criteria, we can construct the following parameter with sysDescr that returns an Apple AirPort wireless router.

snmp.snmp.sysDescr > contains > Apple AirPort
Figure 3. Discovery Classification Parameter