- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-01-2020 06:53 AM
Hi,
We need to what are all the filetypes and extensions which are present and comes as a part of the discovery process on Mid-Servers.
This is basically required for us to whitelist these filetypes and extensions on the antivirus on these servers so as not to hinder the discovery process.
An exhaustive list will be a great help.
Thanks in advance.
AG
Solved! Go to Solution.
- Labels:
-
Discovery
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-01-2020 10:12 PM
I dont think there is any exhaustive list of processes or file types is available. It is because most of the file types and processes can be queried through port 135 (Windows)and 22 (Linux) respectively. Just like there is no list of software extensions available that can be installed on windows and Linux systems it is not possible to put together a list for discovery.
As far as whitelisting is concerned - you can whitelist mid server IP address to port 135 (WMI) for windows and port 22 (SSH) for Linux. Similarly if you are trying to discover SQL then use port 1433. Please expand the list with respect to the devices or software you are expecting to be discover. Similar would be the logic for SNMP (port 161)
Below link gives you the details on the common ports
https://packetlife.net/media/library/23/common-ports.pdf
You can communicate the same to your security team and gain alignment if that's where you are stuck at.
I have listed down the list of windows attributes and Linux attributes captured:
Please mark helpful or accept solution so that this answer helps others with a similar question.
For Windows:
The Windows registry
- Product Name: Combination of name and version, such as Windows Imaging Component 3.0.
- Name: Name of the product only without the version.
- Version: Version of the product.
- Uninstall String: Path to the uninstaller, such as C:\Program Files\Notepad++\uninstall.exe.
- Part of: Update for which this is a part, such as Windows Internet Explorer 8 - Software U.
- Install Date: Date the software was installed. The Windows - Installed Software sensor appends a timestamp of 00:00:00 to the install_date retrieved from the registry. The installation time of all Windows software is independent of the timezone and is set to midnight of the day it was installed. For example, an install date of 2.19.2017 in the Windows registry appears as 2.19.2017 00:00:00 in the CMDB.
- Installed on: Name of the asset on which the software is installed.
For Windows the data captured is:
Data collected
| Label | Table name | Field name | Source |
|---|---|---|---|
| Assigned to | cmdb_ci_win_server | assigned_to | wmi |
| Chassis type | cmdb_ci_win_server | chassis_type | wmi |
| Command | cmdb_running_process | command | wmi |
| Connects to | cmdb_running_process | connects_to | wmi |
| CPU core count* | cmdb_ci_computer | cpu_core_count | wmi |
| CPU core thread* | cmdb_ci_computer | cpu_core_thread | wmi |
| CPU count* | cmdb_ci_computer | cpu_count | wmi |
| CPU manufacturer | cmdb_ci_computer | cpu_manufacturer | wmi |
| CPU name | cmdb_ci_computer | cpu_name | wmi |
| CPU speed (MHz) | cmdb_ci_computer | cpu_speed | wmi |
| Default gateway | cmdb_ci_win_server | default_gateway | wmi |
| Department | cmdb_ci_win_server | department | Internal (User) |
| Description | cmdb_ci_disk | short_description | wmi |
| Disk space (GB) | cmdb_ci_computer | disk_space | wmi |
| Disk space (GB) | cmdb_ci_disk | disk_space | wmi |
| DHCP enabled | cmdb_ci_network_adapter | dhcp_enabled | wmi |
| DNS domain | cmdb_ci_win_server | dns_domain | DNS |
| Free space (GB) | cmdb_ci_file_system | free_space | wmi |
| Hostname | cmdb_ci_win_server | host_name | DNS, NBT |
| IP address | cmdb_ci_network_adapter | ip_address | wmi |
| Listening on | cmdb_running_process | listening_on | wmi |
| MAC address | cmdb_ci_network_adapter | mac_address | wmi |
| Manufacturer | cmdb_ci_win_server | manufacturer | wmi |
| Model ID | cmdb_ci | model_id | wmi |
| Name | cmdb_ci_win_server | name | DNS, NBT |
| Name | cmdb_ci_disk | name | wmi |
| Name | cmdb_running_process | name | wmi |
| Name | cmdb_ci_network_adapter | name | wmi |
| Netmask | cmdb_ci_network_adapter | netmask | wmi |
| Operating System | cmdb_ci_computer | os | wmi |
| OS domain | cmdb_ci_computer | os_domain | NBT |
| OS service pack | cmdb_ci_computer | os_service_pack | wmi |
| OS version | cmdb_ci_computer | os_version | wmi |
| Parameters | cmdb_running_process | parameters | wmi |
| PID | cmdb_running_process | pid | wmi |
| RAM (MB) | cmdb_ci_computer | ram | wmi |
| Serial number | cmdb_ci_win_server | serial_number | wmi |
| Short description | cmdb_ci_win_server | short_description | wmi |
| Type | cmdb_ci_disk | type | wmi |
| Type | cmdb_running_process | type | wmi |
| Volume serial number | cmdb_ci_disk | volume_serial_number | wmi |
For Linux
| Label | Table Name | Field Name | Source |
|---|---|---|---|
| Operating System | cmdb_ci_linux_server | os | uname |
| OS Version | cmdb_ci_computer | os_version | uname -a or cat /etc/*release |
| Short description | cmdb_ci_linux_server | short_description | uname |
| Name | cmdb_ci_linux_server | name | DNS, NBT |
| Hostname | cmdb_ci_linux_server | host_name | DNS, NBT |
| DNS domain | cmdb_ci_linux_server | dns_domain | DNS |
| Start date | cmdb_ci_linux_server | start_date | uptime |
| Manufacturer | cmdb_ci_computer | manufacturer | dmidecode |
| Serial number | cmdb_ci_computer | serial_number | dmidecode |
| CPU type | cmdb_ci_linux_server | cpu_type | /proc/cpuinfo |
| CPU speed (MHz) | cmdb_ci_linux_server | cpu_speed | /proc/cpuinfo |
| CPU count | cmdb_ci_linux_server | cpu_count | /proc/cpuinfo |
| CPU core count | cmdb_ci_computer | cpu_core_count | /proc/cpuinfo |
| CPU core thread | cmdb_ci_computer | cpu_core_thread | /proc/cpuinfo |
| CPU manufacturer | cmdb_ci_linux_server | cpu_manufacturer | /proc/cpuinfo |
| Model number | cmdb_ci_computer | model_number | dmidecode |
| Model ID | cmdb_ci_computer | model_id | dmidecode |
| RAM (MB) | cmdb_ci_linux_server | ram | meminfo |
| Disk space (GB)* | cmdb_ci_linux_server | disk_space | /proc/ide, /proc/scsi, /var/log/dmesg |
| Type | cmdb_ci_disk | type | /proc/ide, /proc/scsi, /var/log/dmesg |
| Model ID | cmdb_ci_disk | model_id | /proc/ide, /proc/scsi, /var/log/dmesg |
| Disk space (GB) | cmdb_ci_disk | disk_space | /proc/ide, /proc/scsi, /var/log/dmesg |
| Name | cmdb_ci_disk | name | /proc/ide, /proc/scsi, /var/log/dmesg |
| Name | cmdb_ci_file_system | name | df |
| Capacity (MB) | cmdb_ci_file_system | capacity | df |
| Available Space (MB) | cmdb_ci_file_system | available_space | df |
| Mount point | cmdb_ci_file_system | mount_point | df |
| Name | cmdb_running_process | name | ps |
| Command | cmdb_running_process | command | ps |
| Type | cmdb_running_process | type | ps |
| PID | cmdb_running_process | pid | ps |
| Parameters | cmdb_running_process | parameters | ps |
| Name | cmdb_ci_network_adapter | name | ifconfig or ip address show |
| IP address | cmdb_ci_network_adapter | ip_address | ifconfig or ip address show |
| MAC address | cmdb_ci_network_adapter | mac_address | ifconfig or ip address show |
| Netmask | cmdb_ci_network_adapter | netmask | ifconfig or ip address show |
| Default gateway | cmdb_ci_hardware | default_gateway | route |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-01-2020 10:12 PM
I dont think there is any exhaustive list of processes or file types is available. It is because most of the file types and processes can be queried through port 135 (Windows)and 22 (Linux) respectively. Just like there is no list of software extensions available that can be installed on windows and Linux systems it is not possible to put together a list for discovery.
As far as whitelisting is concerned - you can whitelist mid server IP address to port 135 (WMI) for windows and port 22 (SSH) for Linux. Similarly if you are trying to discover SQL then use port 1433. Please expand the list with respect to the devices or software you are expecting to be discover. Similar would be the logic for SNMP (port 161)
Below link gives you the details on the common ports
https://packetlife.net/media/library/23/common-ports.pdf
You can communicate the same to your security team and gain alignment if that's where you are stuck at.
I have listed down the list of windows attributes and Linux attributes captured:
Please mark helpful or accept solution so that this answer helps others with a similar question.
For Windows:
The Windows registry
- Product Name: Combination of name and version, such as Windows Imaging Component 3.0.
- Name: Name of the product only without the version.
- Version: Version of the product.
- Uninstall String: Path to the uninstaller, such as C:\Program Files\Notepad++\uninstall.exe.
- Part of: Update for which this is a part, such as Windows Internet Explorer 8 - Software U.
- Install Date: Date the software was installed. The Windows - Installed Software sensor appends a timestamp of 00:00:00 to the install_date retrieved from the registry. The installation time of all Windows software is independent of the timezone and is set to midnight of the day it was installed. For example, an install date of 2.19.2017 in the Windows registry appears as 2.19.2017 00:00:00 in the CMDB.
- Installed on: Name of the asset on which the software is installed.
For Windows the data captured is:
Data collected
| Label | Table name | Field name | Source |
|---|---|---|---|
| Assigned to | cmdb_ci_win_server | assigned_to | wmi |
| Chassis type | cmdb_ci_win_server | chassis_type | wmi |
| Command | cmdb_running_process | command | wmi |
| Connects to | cmdb_running_process | connects_to | wmi |
| CPU core count* | cmdb_ci_computer | cpu_core_count | wmi |
| CPU core thread* | cmdb_ci_computer | cpu_core_thread | wmi |
| CPU count* | cmdb_ci_computer | cpu_count | wmi |
| CPU manufacturer | cmdb_ci_computer | cpu_manufacturer | wmi |
| CPU name | cmdb_ci_computer | cpu_name | wmi |
| CPU speed (MHz) | cmdb_ci_computer | cpu_speed | wmi |
| Default gateway | cmdb_ci_win_server | default_gateway | wmi |
| Department | cmdb_ci_win_server | department | Internal (User) |
| Description | cmdb_ci_disk | short_description | wmi |
| Disk space (GB) | cmdb_ci_computer | disk_space | wmi |
| Disk space (GB) | cmdb_ci_disk | disk_space | wmi |
| DHCP enabled | cmdb_ci_network_adapter | dhcp_enabled | wmi |
| DNS domain | cmdb_ci_win_server | dns_domain | DNS |
| Free space (GB) | cmdb_ci_file_system | free_space | wmi |
| Hostname | cmdb_ci_win_server | host_name | DNS, NBT |
| IP address | cmdb_ci_network_adapter | ip_address | wmi |
| Listening on | cmdb_running_process | listening_on | wmi |
| MAC address | cmdb_ci_network_adapter | mac_address | wmi |
| Manufacturer | cmdb_ci_win_server | manufacturer | wmi |
| Model ID | cmdb_ci | model_id | wmi |
| Name | cmdb_ci_win_server | name | DNS, NBT |
| Name | cmdb_ci_disk | name | wmi |
| Name | cmdb_running_process | name | wmi |
| Name | cmdb_ci_network_adapter | name | wmi |
| Netmask | cmdb_ci_network_adapter | netmask | wmi |
| Operating System | cmdb_ci_computer | os | wmi |
| OS domain | cmdb_ci_computer | os_domain | NBT |
| OS service pack | cmdb_ci_computer | os_service_pack | wmi |
| OS version | cmdb_ci_computer | os_version | wmi |
| Parameters | cmdb_running_process | parameters | wmi |
| PID | cmdb_running_process | pid | wmi |
| RAM (MB) | cmdb_ci_computer | ram | wmi |
| Serial number | cmdb_ci_win_server | serial_number | wmi |
| Short description | cmdb_ci_win_server | short_description | wmi |
| Type | cmdb_ci_disk | type | wmi |
| Type | cmdb_running_process | type | wmi |
| Volume serial number | cmdb_ci_disk | volume_serial_number | wmi |
For Linux
| Label | Table Name | Field Name | Source |
|---|---|---|---|
| Operating System | cmdb_ci_linux_server | os | uname |
| OS Version | cmdb_ci_computer | os_version | uname -a or cat /etc/*release |
| Short description | cmdb_ci_linux_server | short_description | uname |
| Name | cmdb_ci_linux_server | name | DNS, NBT |
| Hostname | cmdb_ci_linux_server | host_name | DNS, NBT |
| DNS domain | cmdb_ci_linux_server | dns_domain | DNS |
| Start date | cmdb_ci_linux_server | start_date | uptime |
| Manufacturer | cmdb_ci_computer | manufacturer | dmidecode |
| Serial number | cmdb_ci_computer | serial_number | dmidecode |
| CPU type | cmdb_ci_linux_server | cpu_type | /proc/cpuinfo |
| CPU speed (MHz) | cmdb_ci_linux_server | cpu_speed | /proc/cpuinfo |
| CPU count | cmdb_ci_linux_server | cpu_count | /proc/cpuinfo |
| CPU core count | cmdb_ci_computer | cpu_core_count | /proc/cpuinfo |
| CPU core thread | cmdb_ci_computer | cpu_core_thread | /proc/cpuinfo |
| CPU manufacturer | cmdb_ci_linux_server | cpu_manufacturer | /proc/cpuinfo |
| Model number | cmdb_ci_computer | model_number | dmidecode |
| Model ID | cmdb_ci_computer | model_id | dmidecode |
| RAM (MB) | cmdb_ci_linux_server | ram | meminfo |
| Disk space (GB)* | cmdb_ci_linux_server | disk_space | /proc/ide, /proc/scsi, /var/log/dmesg |
| Type | cmdb_ci_disk | type | /proc/ide, /proc/scsi, /var/log/dmesg |
| Model ID | cmdb_ci_disk | model_id | /proc/ide, /proc/scsi, /var/log/dmesg |
| Disk space (GB) | cmdb_ci_disk | disk_space | /proc/ide, /proc/scsi, /var/log/dmesg |
| Name | cmdb_ci_disk | name | /proc/ide, /proc/scsi, /var/log/dmesg |
| Name | cmdb_ci_file_system | name | df |
| Capacity (MB) | cmdb_ci_file_system | capacity | df |
| Available Space (MB) | cmdb_ci_file_system | available_space | df |
| Mount point | cmdb_ci_file_system | mount_point | df |
| Name | cmdb_running_process | name | ps |
| Command | cmdb_running_process | command | ps |
| Type | cmdb_running_process | type | ps |
| PID | cmdb_running_process | pid | ps |
| Parameters | cmdb_running_process | parameters | ps |
| Name | cmdb_ci_network_adapter | name | ifconfig or ip address show |
| IP address | cmdb_ci_network_adapter | ip_address | ifconfig or ip address show |
| MAC address | cmdb_ci_network_adapter | mac_address | ifconfig or ip address show |
| Netmask | cmdb_ci_network_adapter | netmask | ifconfig or ip address show |
| Default gateway | cmdb_ci_hardware | default_gateway | route |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-02-2020 10:23 AM
Please accept solution so that it helps others with a similar question.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-02-2020 10:23 AM
Please accept solution so that it helps others with a similar question.
