Discovery classification for IP address scanning

Classification is available for the IP Addresses Discovery type and returns information about CIs (Scan CI) and applications running on CIs (Scan Application).

Before you begin

Role required: admin

About this task

No credentials are required to scan for Windows or UNIX devices with this type of scan, but credentials are required for SNMP devices. By determining which ports are open on the devices that it scans, IP address classification can discover such things as the type of device (computer, UPS, etc.), operating system, running applications, and version numbers.
Note: IP address classification attempts to classify devices when no credentials are available; however, Discovery will use credentials when they are available, even when IP address classification is configured.

To use IP address classification, follow these steps:

Procedure

  1. Determine what ports to use for classification. Run a scan program such as Nmap on specific IP addresses to decide which ports reveal the desired information about a device or application.
    The scan can reveal several pieces of data that are useful for configuring classification parameters. An Nmap scan displays port numbers, their state (open or closed), their service names, and any version information it can find. From the port information returned in the example below, we can construct criteria to classify UNIX servers (port 22), MySQL (port 3306), and Apache Tomcat (port 16000).
    Figure 1. Discovery Nmap Scan
  2. Add an IP Service and port probe.
    The out-of-box ServiceNow system supplies probes for some of the most common ports, but additional port probes will be needed for effective IP address scanning.
    1. Navigate to Discovery Definition > IP Services and click New.
    2. Create a new IP Service record using the port number and service from the Nmap scan. In this example, we associate the mysql service with port 3306 and add the CI (sanops02) on which the service runs to the Available on Related List.
      Figure 2. Discovery IP Service
    3. To use Basic Discovery, navigate to Discovery Definition > Functionality Definition and select the record for All.
    4. Add the new port probes to the list. This tells Discovery which port probes to run for IP address scans.
      Figure 3. Discovery Functionality Def
    5. Save the record and navigate to Discovery Definition > Port Probes and click New.
    6. Create a port probe using the new IP Service you just defined.
      Figure 4. Discovery Port Probe
  3. Create a new classification and add the parameter for IP address scanning.
    In this example, we have created an application classifier that will discover Apache Tomcat, based on the port information we received from the Nmap scan. See the following section for details about forming parameters for IP address scans.
    Figure 5. Discovery Application Classifier