Glossary

This glossary endeavors to explain key Asset Manager and network terminology embedded in API attribute names.  For information on what is meant by explicit targetlearned CIDR, reference IP and more, look no further. 

Term Definition

Active

A device is “Active” if it’s responded to traffic we’ve sent to it or if we’ve heard about the device Indirectly (via SNMP for example).

Active Discovery

Scanning where a Collector’s Scannerplaces traffic on the network destined for a targeted address and listens for the responses from that address (or hops along the way in the case of Path)

Alert
An Alert is an event notification of finding a particular circumstance in the customer's network (during scanning and/or reporting) or regarding the system itself. Alert generation is configured from the Admin tab of the server, including whether the alerts are delivered to Syslog and/or IF-MAP.

Scanning and Reporting Alerts in Map's Node Details

System alerts and certain scanning and reporting alerts do not correspond to individual nodes on the map. Scanning, Reporting, and System Alerts not in Map's Node Details

Alert Priority A Priority of "Low" (0), "Med" (1), or "High" (2) is assigned to each alert, according to the alert configuration in effect when the alert is generated.

Alias

For credentials (like SNMP or WMI) an alias is just the name we associate with that credential for reporting purposes.  It allows us to say “secret1” in a report instead of putting the actual and presumably sensitive credentials into a report.

Collector

A collection of associated Scanners within a Zone that share a single Scanning Interface.

Command Center

The virtual machine that processes scan data from Collectors and reports on that data

Commanded Packet Rate

A Scout’s network interface can be given a Commanded Packet Rate.  This is the rate of scanning traffic  (in packets per second) that Asset Manager will not exceed (at least over intervals of greater than 1 second).  Depending on the targeted address space, we may not scan as quickly as the Commanded Packet Rate, but Asset Manager will not exceed this rate.  This rate is per Scanning Interface, this interface may be shared by more than one Collector

Device

As far as Asset Manager (the product) is concerned, a Device is one or more IP addresses that we’ve decided belong together.  Typically we think they belong together due to our getting SNMP data that says they’re all interface addresses for the same thing.  It’s an attempt to represent a physical thing that’s attached to the network, but it’s not always a complete match (we don’t have all the information that someone sitting in front of a physical device might have).

Device Message

The results of a Collector’s scan of a set of targets.  This is batched up into a number of Devices and sent to the Command Center for processing

Eligible List

A collection of CIDRs that dictate if further interrogation for a specified address should be performed. This is primarily used when a response is received from an address that is outside the target list and influences the decision to further interrogate this address.  In other words, if we target 2.2.2.2 and hear about 1.1.1.1, we’ll target 1.1.1.1 for scanning if it’s covered by the eligible list (e.g. if we had 1.0.0.0/8 in the eligible list)

Event

Event is an action or occurrence detected by a program. It can be “published” so that other parts of the Asset Manager system can act on it. At this point, it will appear as a notification.

Explicit Target

A Target explicitly defined in a Collector’s configuration (under Discovery Spaces > Target List)

Fact

Something we know about a Device by receiving data directly from that Device.  This would typically be via Active or Passive Discovery (eliding for the moment the idea that “Fact”s can be tricky things as we’re talking through the network to a Device so Facts can be altered in transit).  This would also include cases where we explicitly ask another system (like DNS) about a Device

Forwarder

A Device is a “Forwarder” if it’s seen in a trace (generated by the Path scanner) as anything but the last hop.  In other words, a device that generates an ICMP Time Exceeded message.  This is a Fact rather than an Inference

Indirect Discovery

Discovery where the system gets information about an address from something other than that address (e.g., BGP, DNS, or OSPF). For example, Asset Manager hears about device 2.2.2.2 while interrogating 1.1.1.1 via SNMP and learning about 2.2.2.2 from 1.1.1.1’s ARP table.

Inference

Something we can say about a Device that’s derived from Facts about a Device or by Indirect Discovery (or by things like MAC Vendor data etc.).  Profiling data (for example) is a collection of Inferences

Learned CIDR

A CIDR learned about via SNMP (either a host or a CIDR representing a route), OSPF, or BGP.

Loose IP

 

Notification

A message presented to the user as the result of an event.

Passive Discovery

Listening to traffic without putting any packets on the network. (e.g., Broadcast). This could also be a Scanner listening to traffic on a trunk or SPAN port.

Primary Target

A Target that’s explicitly specified in a Collector configuration or learned about via an SNMP routing table, BGP, or OSPF.  This is effectively a Host or Path target (these are the scan types that scan across entire CIDRs).  Responses to a Primary Target can create Secondary Targets.  That is to say, a response to Host can create targets for scan types like Port, or SNMP.

Qualified Address

An address that’s explicitly targeted, or learned and covered by the Eligible List. An address in the Avoid List cannot be Qualified.

Reference IP

For a Device with more than one IP address, we pick one address to refer to it by.  We pick the reference IP by the following criteria (subject to change):

1) Prefer IPv4 over IPv6

2) Prefer internal addresses

3) Prefer known addresses

4) Highest IP address

Rescan Interval

How often a Collector will target a specific Target.  Collectors fetch Targets as soon as they become available, even if there are a bunch of things already in the queue to be scanned.  The Rescan Interval is a guarantee that we won’t target something more often than once per Rescan Interval, but on a heavily loaded Collector it might take us longer than a Rescan Interval between us sending traffic to a given Target

Scanner

A specific bit of code (like SnmpHunter) that runs as part of a Collector on a Scout somewhere

Scanning Interface

A network interface associated with a Scout.  This interface can be used by one or more Collectors.  This interface can be given a Commanded Packet Rate.

Scout

A collection of Scanners and Scanning Interfaces running on a particular (virtual) machine.  These scanners could be associated with any number of Zones or Command Centers.  It could be a VM built and licensed as a Scout or an “Onboard Scout,” which is the Scout code running on a Command Center.  

Scout Interface

A specific network interface on a Scout.  This interface can be configured to throttle some discovery traffic (at least Host, Port, Path, and SNMP)

Secondary Target

A Target (/32 or /128) generated for a non-Host/Path scan(discovery)  type as a result of Asset Manager learning about an address.  These Targets can be generated by being discovered via Host or Path, being Indirectly or Passively discovered, or by having a device added via API.  These are the Targets the system generates itself (governed by discovered addresses, Eligible List, and Avoid List).

snmpAccessible

A device that we were able to talk to and get responses with a set of SNMP credentials.  If we just get an error message (an SNMPv3 credential error or a OID not found for v2) we will not be snmpAccessible though we will be an snmpResponder

SNMP Details

This is a Tertiary Target type.  If configured to do so, we will gather data from various SNMP OIDs and determine things like Interface or Route information

SNMP Discovery

This is a Secondary Target type.  When we do SNMP Discovery we try all the SNMP Credentials configured for a collector and report on which ones were accessible.  In SNMP Discovery we will gather things like sysObjectIdsysDescr, and potentially serial number information.

snmpResponder

A device that we got an SNMP response from even if we can’t fetch data from it with our SNMP credentials.  This could happen if we attempt to communicate with a device using SNMPv3, it can respond with an authentication error of some sort, this is different from SNMPv1/2c where the device usually doesn’t send anything back in the case of an authentication failure (though ACLs can cause SNMPv2 errors).

Spool File

On a Asset Manager command center, the data we ingest from scanning is contained under /var/spool/esi.  The files that a queued up for ingestion are at /var/spool/esi/preprocessing.  These files are commonly referred to as “Spool Files” and if we’re trying to debug why the system is behaving the way it does we’ll commonly start by looking at them.

Target

A combination of a CIDR, Scan Type, and Collector ID.  This can be a Primary, Secondary, or Tertiary Target.

Tertiary Target

Once a device has been scanned using a primary scan type, it is determined to be alive. After a secondary scan type, the target has been determined to have the potential of responding to a particular protocol. The tertiary scan type asks for heavier weight responses, such as SNMP Details, HTTP banners, CIFS, or WMI.

Time of Discovery

The time a Scout discovers a Device (or information about a Device)

Time of Record

The time a discovered Device is actually available in the database for reporting (the time it’s actually visible to a client).

Zone

A set of Collectors and the data associated with them. For the most part, data is not propagated across zones.