Troubleshooting the Classification Phase in Discovery


Description

Video Tutorial: Troubleshooting a failed Discovery: Classification Phase

 

 

 

The classification phase of Discovery begins right after the Shazzam port scanner probe and ends after processing those results, triggering the Identification phase in turn. Right after the Shazzam probe, look up the Port Probe table to determine what type of Classify probe needs to be launched.
 

 

 

After the information is returned from the Classify probe, Discovery undergoes the classification phase, which determines the device type for each probe protocol that is supported. This is the first time Discovery uses credentials to query a target. Discovery classifies computers based on Operating System (OS) and Network Devices based on their capabilities. Currently, we support the following protocols for classification: SSH, WMI, SNMP, and CIM.

 

Under each protocol type, Discovery goes through the various classification types to determine what type the target device is. If a device matches the criteria for a given classifier, it is classified as such, and Identity probes specific to that device are then triggered.

For example, if the target can communicate through SSH, it could be a Linux, Mac, AIX, Solaris, etc. Each classification type then dictates the probes that Discovery runs for the Identification phase and Exploration phase.

If multiple ports are open to be classified, based on the classification priority, certain protocols are tried before others. 

 

In the base system, the classification priority is in this order: WMI > SSH > SNMP > CIM.

For example, if a device has both SNMP and SSH available for Discovery, the SSH classify probe is tried first. If it succeeds, then Discovery continues with SSH until the device is fully discovered. If it fails, then Discovery tries launching the SNMP classify probe to see if it is possible to explore with SNMP.

Troubleshooting Classification

Errors and warnings found during classification are available in the Discovery log for each Discovery. These warnings are typical of probing in general. Make sure that the property glide.discovery.debug.classification is set to true.

If a classifier probe cannot connect to a device, the Discovery status lists it as Active, couldn’t Classify.

  

Common problems include:

Any system configuration must be evaluated and determined safe by your local security policies and processes.