|Table of Contents|
When a discovery is run, the relevant discovery scan option is chosen and those settings are used by Nmap to scan the target devices. The scan options determine which ports nmap scans, how fast they scan and whether or not nmap ping is first used to determine if the IP is live or not.
Starting with Open-AudIT 2.3.2 we have introduced sets of pre-configured options for running the discovery scan, these pre-configured options allow a range of Nmap scan options. More detail is here: New Discovery Options
As at 3.3.0 we have introduced a "filtered|open" option to discovery scan options, this option determines if an open but filtered port is considered as an interesting port on the remote device. It has a default of 'y'. Previously we used the "filtered" column to check for open|filtered. This change aligns the discovery scan options with Nmap return strings.
As at 4.0.3 we allow the user to over-write individual discovery scan options without having to create a 'custom scan'.
How Does it Work?
When a discovery is run, the relevant discovery scan option is chosen and those settings used by Nmap to scan the target devices. If no option set is chosen, the default configuration item (discovery_default_scan_option) is selected and used.
If a device is individually discovered using the "Discover Device" link on the device details page, we first check if this device has been discovered previously (by Discovery) and if so, use the discovery options from that scan. If it has not been previously discovered, we revert to the configuration item discovery_default_scan_option the settings.
Creating a Discovery Scan Options entry
Discovery Scan Options are just another item collection. Enterprise users can create, read, update and delete entries as required. Professional users can read all entries, but not create new entries, update existing entries or delete entries. Community users have no GUI that allows access to this collection.
The attributes for discovery scan options are as below.
Must Respond To Ping. If set, Nmap will fist attempt to send and listen for an ICMP response. If the device does not respond, no further scanning will occur.
Previously a device did not have to respond to a ping for Open-AudIT to continue scanning.
Use Service Version Detection. When a detected port is detected as open, if set to 'y', Nmap will query the target device in an attempt to determine the version of the service running on this port.
This can be useful when identifying unclassified devices. This was not previously used.
|open|filtered||An open|filtered port is considered open (and will trigger device detection).|
Previously, Open-AudIT considered an Nmap response of "open|filtered" as a device responding on this port.
This has caused some customers issues where firewalls respond on behalf of a non-existing device, and hence cause false positive device detection. We now have this attribute available to set per scan.
A filtered port is considered open (and will trigger device detection).
|timing||The standard Nmap timing options. Previously set at T4 (aggressive).|
|nmap_tcp_ports||Top Nmap TCP Ports. The top 10, 100, 1000 ports to scan as per Nmaps "top ports" options. Previously we scanned the Top 1000 ports (the Nmap standard).|
|nmap_udp_ports||Top Nmap UDP Ports. The top 10, 100, 1000 ports to scan as per Nmaps "top ports" options. Previously we scanned UDP 161 (snmp) only.|
|tcp_ports||Custom TCP Ports. Any specific ports we would liuke scanned in addition to the Top TCP Ports. Comma seperated, no spaces.|
|udp_ports||Custom UDP Ports. Any specific ports we would liuke scanned in addition to the Top UDP Ports. Comma seperated, no spaces.|
|The below fields can be overwritten by an individual discovery, while still "using" a discovery_scan_options item for these if they're not set in the discovery (changed as at 4.0.3, see above).|
|timeout||Timeout per Target. Wait for X seconds for a target response.|
|exclude_tcp||Exclude any ports listed from being scanned. Comma seperated, no spaces.|
|exclude_udp||Exclude any ports listed from being scanned. Comma seperated, no spaces.|
|exclude_ip||Exclude IP Addresses (individual IP - 192.168.1.20, ranges - 192.168.1.30-40 or subnets - 192.168.1.100/30) listed from being scanned. Comma seperated, no spaces.|
|ssh_ports||Scan for this port(s) and if detected open, use this port for SSH communication. This is added to the list of Custom TCP POrts above, so there is no need to include it in that listr as well. Comma seperated, no spaces.|
The database schema can be found in the application is the user has database::read permission by going to menu: Admin -> Database -> List Tables, then clicking on the details button for the table.
API / Web Access
You can access the collection using the normal Open-AudIT JSON based API. Just like any other collection. Please see The Open-AudIT API documentation for further details.
Shipped are a set of default items. These can be found by going to menu: Help → Defaults → Discovery Scan Options.