Extend nmap capability in discovery node #1090
Conversation
| families={ | ||
| "port": {p.port_number: {"banner": p.banner} for p in host.ports} | ||
| refs={ | ||
| f"{p.port_number}": {"aux": dataclasses.asdict(p)} for p in host.ports |
There was a problem hiding this comment.
"Aux" should either be "ancillary" or "adjunct" depending on what it means, exactly. "Aux" I think is an old term (deprecated) and will actually cause problem on Windows systems so should be explicitly avoided.
If it's an "arbitrary bunch of JSON" produced by discovery that's primarily meant for some ML pipeline to consume in order to handle mapping (so helps with understanding how a device is connected), then it should be "ancillary", if it's a key:string map of properties that describe how to contact/address the port (e.g. modbus parameters), then it should be "adjunct" -- it's not a hard line between them, so either would work in this case until we have a better idea of what they mean. The categories themselves are confusel too so we just kinda gotta roll with it for now.
There was a problem hiding this comment.
This is defined in the schema/events_discovery.json file.
Sample payload
{ "generation": "2025-02-13T14:29:22Z", "family": "ether", "addr": "192.168.12.1", "version": "1.5.1", "timestamp": "2025-02-13T14:29:52Z", "refs": { "20": { "aux": { "port_number": "20", "sort_index": 20, "state": "open", "protocol": "tcp" } }, "21": { "aux": { "port_number": "21", "sort_index": 21, "state": "open", "protocol": "tcp" } }, "22": { "aux": { "port_number": "22", "sort_index": 22, "service": "ssh", "version": "9.2p1 Debian 2+deb12u4", "state": "open", "protocol": "tcp", "product": "OpenSSH", "banner": "SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u4" } }, "25": { "aux": { "port_number": "25", "sort_index": 25, "state": "open", "protocol": "tcp" } }, "110": { "aux": { "port_number": "110", "sort_index": 110, "state": "open", "protocol": "tcp" } }, "143": { "aux": { "port_number": "143", "sort_index": 143, "state": "open", "protocol": "tcp" } }, "465": { "aux": { "port_number": "465", "sort_index": 465, "state": "open", "protocol": "tcp" } }, "587": { "aux": { "port_number": "587", "sort_index": 587, "state": "open", "protocol": "tcp" } }, "993": { "aux": { "port_number": "993", "sort_index": 993, "state": "open", "protocol": "tcp" } }, "995": { "aux": { "port_number": "995", "sort_index": 995, "state": "open", "protocol": "tcp" } }, "1256": { "aux": { "port_number": "1256", "sort_index": 1256, "service": "smtp", "state": "open", "protocol": "tcp", "product": "Postfix smtpd", "banner": "220 73ee2106e1c9 ESMTP Postfix (Ubuntu)" } }, "5361": { "aux": { "port_number": "5361", "sort_index": 5361, "service": "imap", "state": "open", "protocol": "tcp", "product": "Dovecot imapd", "banner": "* OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID \nENABLE IDLE STARTTLS AUTH=PLAIN] Dovecot (Ubuntu) ready." } }, "21514": { "aux": { "port_number": "21514", "sort_index": 21514, "service": "ftp", "version": "1.3.5e", "state": "open", "protocol": "tcp", "product": "ProFTPD", "banner": "220 ProFTPD 1.3.5e Server (Debian) 73ee2106e1c9" } }, "23451": { "aux": { "port_number": "23451", "sort_index": 23451, "service": "pop3", "state": "open", "protocol": "tcp", "product": "zpop3d", "banner": "+OK POP3 Server ready" } } }, "event_no": 1 }