Skip to end of banner
Go to start of banner

New Discovery Options

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Introduction

As at Open-AudIT 2.3.2 and later, we have introduced some easy to use but extremely powerful options for discovering devices.

These options centre around directing Nmap on how to discover devices.

We have grouped these options into what we're calling Discovery Scan Options. We ship seven different groups of options (items) by default that should cover the common use-cases.

This benefits Community, Professional and Enterprise customers.

Feature use is dependent on license type, and is detailed below.

Feature Availability

FeatureCommunityProfessionalEnterprise
Match Rules - set default for all discoveriesyyy
Discovery Scan Options - set default for all discoveriesyyy
Discovery Scan Options - read yy
Discovery Scan Options - set per discovery yy
Discovery Scan Options - create, read, update, delete  y
Discovery Scan Options - Custom per Discovery  y
Discovery Scan Options - Exclude IP, range, subnet per discovery  y
Discovery Scan Options - Exclude ports per discovery  y
Discovery Scan Options - Set device timeout, per discovery  y
Discovery Scan Options - Custom SSH port per discovery  y
Match Rules - set per discovery  y

 

Shipping Defaults

The Discovery Scan Options we ship are detailed below. As above, Enterprise users can create more of these or edit the shipped items.

 

AttributeUltraFastSuperFastFastMedium (Classic)MediumSlowUltraSlow
Approximate time in seconds for remote IP scan1540901002401200
Must Respond to Pingyyynyyn
Use Service Version Detectionnnnnnyy
Consider Filtered Ports as Opennnnynyy
TimingT4T4T4T4T4T3T2
Top Nmap TCP Ports 101001000100010001000
Top Nmap UDP Ports 10100 1001001000
Custom TCP Ports22,135,62078620786207862078620786207862078
Custom UDP Ports161  161   
Exclude TCP Ports       
Exclude UDP Ports       
Timeout per Host       
Exclude IP (address, range, subnet)       
Custom SSH Port       

The item for Medium (Classic) is as close as we can make these options to how (prior to 2.3.2) Open-AudIT used Nmap for Discovery.

Example Improvement

We have a customer who is running discovery on a /22. The scan time to complete when using the original (hard set) options, prior to 2,3.2 was 29 hours. Using 2.3.2's UltraFast option, that scan now takes less than 10 minutes. Obviously they are sacrificing some detail regarding Nmap ports, but as that is not an issue in this case, to say they are impressed would be an understatement! And don't forget, if the audited device is a computer, you will have a list of open ports derived from Netstat, anyway.

Use Cases

Duplicate Serials

Recently we had cause to scan a subnet that was made up of virtual Cisco networking devices. These devices all happened to have identical serial numbers. Using the Match Rules per Discovery (available to Enterprise users) we were able to tweak the ruleset for this discovery only, without affecting other discoveries that rely upon matching a serial number. This ability solved a long standing issue of working around a less than ideal setup on a network. A serial number, by definition, should be unique.

Filtered Ports

Networks respond differently depending on how they're configured. Some routers and/or firewalls can respond "on behalf" of IPs on the other side of their interfaces to the Open-AudIT Server. It is quite common to see Nmap report a probe for SNMP (UDP port 161) to respond as open|filtered for devices the do and do not exist. This has cause Open-AudIT users some confusion in the past. They know there is no device at that IP, yet they end up with a device entry in the database. 99.9% of the time, it is not Open-AudIT, nor even Nmap, but the network causing this issue. Now that we have the options to treat open|filtered ports as either open or closed, we can eliminate a lot of this confusion. Enterprise users even have the option to change this on a per discovery basis (more than just using the Medium (Classic) item, as above).

 

Sample Screenshot (Enterprise Options)

Click to enlarge.

Display Improvements

As well as the functional improvements to discovery, we have also revised the Discovery Details page. We have sections for  Summary, Details, Devices, Logs and IP Addresses. The Devices section, in particular, is now much more useful. We have added a new type of Unclassified to the list and we use this when we have more than jsut an IP and/or name for the device. For instance we may know it's IP, name and the fact that is has port 135 open. This at least is a good indication that the device is likely a Windows machine. So we know "something". More than just "there is something at this IP". That is now an Unclassified device. We still support Unknown devices as always - for those device we really know nothing about. An example of this screen is below. Click to enlarge.

 

This new functionality, I believe, makes Open-AudIT one of the easiest to use Nmap Frontends available while at the same time provides a great amount of flexibility for advanced users.

I hope you find it as useful as I do.

 

Mark Unwin.

 

 

 

 

  • No labels