Credential-less Application Discovery

Credential-less Application Discovery attempts to identify an application service actively listening on a specific port at a given IP address.

The application discovery pattern

Service Mapping launches the Credentialless Discovery Application pattern when all credential-based port classification steps fail. The pattern executes an Nmap command on a Windows MID Server with Nmap installed, that is configured to perform application/version detection against a specific remote host IP address and port. If the port being scanned by Nmap is open, the pattern executes the CredentialLessApplicationClassNameMapper MID Server script include, which maps the service product, service name, and any extra information supplied by Nmap to a supported ServiceNow application table. If the script can map the returned product to an appropriate table derived from the base Application [cmdb_ci_appl] table, the script passes this information to the pattern. The pattern passes the match to the Discovery identifier for eventual CI creation or reconciliation. If the information returned by Nmap does not match any derived table, then the instance uses the base Application [cmdb_ci_appl] table to create the CI.

Example scan results

This information was returned by an Nmap Application/Version Detection port scan on a Linux test system and illustrates the type of application data Nmap scans can return.
Information Port
Port state open
Service name ssh
Service product OpenSSH
Extra service information Protocol 2.0

Default application mappings

The CredentialLessApplicationClassNameMapper MID Server script include is configured with a subset of the most common application tables available for Discovery and Service Mapping. A user with the agent_admin role can edit this script include to add additional CI tables that credential-less application Discovery can use for mapping to a derived application CI class.

Shown in this table are examples of close matches returned by Nmap on a test system that CMDB Identification and Reconciliation was able to resolve into defined products. In many cases, the service name returned by Nmap was not needed to determine a match. Service names that appear in the table were required to determine a match.

Products returned by Nmap that cannot be resolved into defined Discovery products use the following naming format: <serviceProduct>:<serviceExtrainfo>:<serviceName>. If any value in this string is null, it is dropped from the name.
  • serviceProduct: Service product information returned by Nmap.
  • serviceExtrainfo: Any additional information that Nmap returns about the application that might help identify it, such as protocol information.
  • serviceName: The installed name of the service or daemon of the product.
Nmap response Script response - Identifier input
Service product Service name Service extra information Discovered product CI application table
Apache Tomcat/Coyote JSP engine 1.1 N/A NULL Tomcat cmdb_ci_app_server_tomcat
Apache httpd 2.2.10 ((Linux/SUSE)) N/A NULL Apache Web Server cmdb_ci_apache_web_server
IBM HTTP Server N/A Derived from Apache Apache Web Server cmdb_ci_apache_web_server
IBM DB2 Database Server (QDB2/LINUX) N/A NULL DB2 Instance cmdb_ci_db_db2_instance
Microsoft Exchange smtpd smtp NULL Exchange Client Access Server cmdb_ci_exchange_cas
Microsoft Exchange 2010 log copier msexchange-logcopier NULL Exchange Mailbox cmdb_ci_exchange_mailbox_server
JBoss service httpd N/A NULL JBoss cmdb_ci_app_server_jboss
Microsoft IIS httpd 6.0 N/A NULL Microsoft iis Web Server cmdb_ci_microsoft_iis_web_server
Microsoft SQL Server 2005 9.00.4035; SP3 N/A NULL Microsoft SQL Server cmdb_ci_db_mssql_instance
MongoDB 2.5.1 N/A NULL MongoDB Instance cmdb_ci_db_mongodb_instance
MySQL 5.5.51 N/A NULL MySQL Instance cmdb_ci_db_mysql_instance
nginx 1.4.6 (Ubuntu) N/A NULL Nginx Web Server cmdb_ci_nginx_web_server
PostgreSQL DB N/A NULL PostgreSQL Instance cmdb_ci_db_postgresql_instance
Oracle WebLogic Server N/A NULL Weblogic cmdb_ci_app_server_weblogic
IBM WebSphere MQ 6.0 N/A NULL IBM WebSphere MQ cmdb_ci_appl_ibm_wmq
IBM WebSphere Application Server 6.1 N/A NULL IBM Websphere cmdb_ci_app_server_websphere
OpenSSH : ssh N/A NULL OpenSSH cmdb_ci_appl
Oracle Instance N/A NULL Oracle Database cmdb_ci_db_ora_instance
Oracle Instance N/A NULL Oracle TNS Listener cmdb_ci_db_ora_instance
product-A service-B NULL product-A:service-B cmdb_ci_appl
product-A service-B extrainfo-C product-A:extrainfo-C:service-B cmdb_ci_appl

Examples of applications not uniquely matched

In this example, the information returned by Nmap does not match any derived table, and the instance must use the base Application [cmdb_ci_appl] table to create the CI.
Scanned application Nmap response Script response - identifier input
Service product Service name Service extra information Discovered product CI application table
ExchangeHub Microsoft Windows RPC msrpc null Microsoft Windows RPC:msrpc cmdb_ci_appl

HAProxy Load Balancer

IBM HTTP Server (Derived from Apache)

http null

IBM HTTP Server (Derived from Apache):http

cmdb_ci_appl
SharePoint

Oracle Database

http null

Oracle Database:http

cmdb_ci_appl
SharePoint

Oracle Instance

N/A null Oracle Database cmdb_ci_appl

Application identification

The Discovery - IP Based [com.snc.discovery.ip_based] plugin adds an identifier to the Application Rule for the Application [cmdb_ci_appl] table that matches on sys_class_name and cl_port for Nmap scans.
Figure 1. Nmap identifier for the Application Rule
Nmap identifier for the Application Rule