Thank you for your feedback.
Form temporarily unavailable. Please try again or contact to submit your comments.
  • Madrid
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store

Classification for IP address discovery

Log in to subscribe to topics and get notified when content changes.

Classification for IP address discovery

Discovery provides a way to classify devices it finds through IP address discovery, even when no credentials are available.

When you run a discovery for IP addresses, as opposed to a CI discovery, the Discovery application makes certain assumptions about devices and the applications running on those devices from the ports that it finds open. Classification parameters for this type of Discovery are generated differently from scans in which credentials are available.

The syntax for creating parameters is derived from the fields returned by the Shazzam probe when conducting a Discovery for IP addresses. Parameters for CIs and applications are formed in the same way. The Shazzam probe creates an XML file containing the following fields:

  • name
  • port
  • portprobe
  • protocol
  • result
  • service
Note: Optional fields that can be used to form parameters appear as child tags beneath the default fields. Example of these are the sysDescr and banner_text fields.
Parameters are expressed in the form of <portprobe.service.field>. The value for field can come from any of the fields or child tags in the XML file. For example, the following parameters classify a device as a UNIX server and detect an installation of MySQL:
  • ssh.ssh.result
  • mysql.mysql.result
These parameters were derived from the values in the following XML file generated by a Shazzam probe conducting an IP Scan. The result field returned a value of open for ports 22 and 3306 on the target device. The service field indicates the services that normally communicate over those ports.
parameters from Shazzam
The sysDescr field can provide additional information about devices, depending upon the manufacturer. This XML file from the Shazzam probe reveals the following about port 161 on the device at IP
The sysDescr field
In the classification criteria, we can construct the following parameter with sysDescr that returns an Apple AirPort wireless router:
snmp.snmp.sysDescr  contains  Apple AirPort