Discovery provides a way to
classify devices it finds through IP address discovery, even when no credentials are available.
When you run a discovery for IP addresses, as opposed to a configuration item (CI) discovery, the Discovery application makes certain assumptions about devices and the applications running on those devices from the ports that it finds open. Classification parameters for this type of Discovery are generated differently from scans in which credentials are available.
The syntax for creating parameters is derived from the fields returned by the Shazzam probe
when conducting a Discovery for IP
addresses. Parameters for CIs and applications are formed in the same way. The Shazzam probe
creates an XML file containing the following fields:
name
port
portprobe
protocol
result
service
Note:
Optional fields that can be used to form parameters appear as child tags
beneath the default fields. Example of these are the sysDescr and
banner_text fields.
Parameters are expressed in the form of <portprobe.service.field>. The value for
field can come from any of the fields or child tags in the XML file. For
example, the following parameters classify a device as a UNIX server and detect an installation of
MySQL:
ssh.ssh.result
mysql.mysql.result
These parameters were derived from the values in the following XML file generated by a Shazzam
probe conducting an IP Scan. The result field returned a value of
open for ports 22 and 3306 on the target device. The service
field indicates the services that normally communicate over those ports.
The sysDescr field can provide additional information about devices,
depending upon the manufacturer. This XML file from the Shazzam probe reveals the following
about port 161 on the device at IP 10.10.11.149:
In the classification criteria, we can construct the following parameter with sysDescr that returns an Apple AirPort wireless router: