Classification for IP address discovery

Discovery provides a way to classify devices it finds through IP address discovery, even when no credentials are available.

When you run a discovery for IP addresses, as opposed to a CI discovery, the Discovery application makes certain assumptions about devices and the applications running on those devices from the ports that it finds open. Classification parameters for this type of Discovery are generated differently from scans in which credentials are available.

The syntax for creating parameters is derived from the fields returned by the Shazzam probe when conducting a Discovery for IP addresses. Parameters for CIs and applications are formed in the same way. The Shazzam probe creates an XML file containing the following fields:

  • name
  • port
  • portprobe
  • protocol
  • result
  • service
Note: Optional fields that can be used to form parameters appear as child tags beneath the default fields. Example of these are the sysDescr and banner_text fields.
Parameters are expressed in the form of <portprobe.service.field>. The value for field can come from any of the fields or child tags in the XML file. For example, the following parameters classify a device as a UNIX server and detect an installation of MySQL:
  • ssh.ssh.result
  • mysql.mysql.result
These parameters were derived from the values in the following XML file generated by a Shazzam probe conducting an IP Scan. The result field returned a value of open for ports 22 and 3306 on the target device. The service field indicates the services that normally communicate over those ports.
The sysDescr field can provide additional information about devices, depending upon the manufacturer. This XML file from the Shazzam probe reveals the following about port 161 on the device at IP 10.10.11.149:
In the classification criteria, we can construct the following parameter with sysDescr that returns an Apple AirPort wireless router:
snmp.snmp.sysDescr  contains  Apple AirPort

Modify classifiers for IP address discovery

When you run an IP address type of discovery, port probes scan devices without the use of credentials, and then Discovery can determine which classifiers to use. You can add port probes and additional classifiers for IP address discovery.

Before you begin

Role required: admin

About this task

Although no credentials are required to scan for Windows or UNIX devices with this type of scan, credentials are still required for SNMP devices. By determining which ports are open on the devices that it scans, IP address classification can discover such things as the type of device (computer, UPS, etc.), operating system, running applications, and version numbers.
Note: IP address classification attempts to classify devices when no credentials are available; however, Discovery will use credentials when they are available, even when IP address classification is configured.

To use IP address classification, follow these steps:

Procedure

  1. Determine what ports to use for classification. Run a scan program such as Nmap on specific IP addresses to decide which ports reveal the desired information about a device or application.
    The scan can reveal several pieces of data that are useful for configuring classification parameters. An Nmap scan displays port numbers, their state (open or closed), their service names, and any version information it can find. From the port information returned in the example below, we can construct criteria to classify UNIX servers (port 22), MySQL (port 3306), and Apache Tomcat (port 16000).
  2. Add an IP Service and port probe.
    The out-of-box system supplies probes for some of the most common ports, but additional port probes will be needed for effective IP address scanning.
    1. Navigate to Discovery Definition > IP Services and click New.
    2. Create a new IP Service record using the port number and service from the Nmap scan. In this example, we associate the mysql service with port 3306 and add the CI (sanops02) on which the service runs to the Available on Related List.
    3. To use Basic Discovery, navigate to Discovery Definition > Functionality Definition and select the record for All.
    4. Add the new port probes to the list. This tells Discovery which port probes to run for IP address scans.
      Figure 1. Discovery Functionality Def
    5. Save the record and navigate to Discovery Definition > Port Probes and click New.
    6. Create a port probe using the new IP Service you just defined.
      Figure 2. Discovery Port Probe
  3. Create a new classification and add the parameter for IP address scanning.
    In this example, we have created an application classifier that will discover Apache Tomcat, based on the port information we received from the Nmap scan. See the following section for details about forming parameters for IP address scans.
    Figure 3. Discovery Application Classifier
  4. (Optional) In the Classification Criteria related list, create a criteria filter that determines when this classifier applies to the discovered devices. See the IP address classification parameters for a list of the parameters you can use.

What to do next

Run a IP address discovery through the Discovery Schedule to search for devices.