How to use Sweep Scans to get ready for Full Discovery - our approach

Version 3
    Share This:

    Dear Community,

     

    I was facing the situation there I had to scan an enormous IP range (multiple /16 subnets) on a daily basis.

    I'd like to share my solution and I hope it helps you getting the daily work done.

     

    • Commands that have to be run from the cli as tideway have an italic font.
    • Any colored text should be customized to fit your needs

     

    Create a (recurring) sweep scan

    As said before we'll use the data collected by sweep scans to build our full discovery scans.

    So we need to create the sweep scans first...

    • Switch to Discovery > Add New Run ...
    • Create a scheduled sweep scan (which fits your infrastructure) and hit "OK"

     

    > I run my sweep scans once in a month

     

    Create the password file

    Create the file containing the password for the system user

    • echo "systemuserpassword" > /usr/tideway/passwordfile

    Change the file permissions to 0600

    • chmod 0600 /usr/tideway/passwordfile

     

    > the password is required to run tw_scan_control and tw_query commands

     

    Copy this script to /usr/tideway/ScanScheduler

    #!/bin/bash

    _PASSWORD_FILE=/usr/tideway/passwordfile

    _IP_FILE=/tmp/_iplist

    _LBL="Full Discovery Servers"

    _COMPANY="My Company"

    _LEVEL="Full Discovery"

    _TW_BIN=/usr/tideway/bin

    _TW_LOG=/usr/tideway/log

    _SCAN_ID=`$_TW_BIN/tw_scan_control --list --passwordfile=$_PASSWORD_FILE | grep "$_LBL" | cut -d' ' -f1`

    echo "$(date) $0 $1 triggered" >> $_TW_LOG/${0##*/}.log

    case "$1" in

    "-d")

        $_TW_BIN/tw_scan_control --passwordfile=$_PASSWORD_FILE --remove $_SCAN_ID >> $_TW_LOG/${0##*/}.log 2>&1

        exit

        ;;

    "-?"|"--help")

        echo "$0 usage:"

        echo "$0 - runs the script the normal way"

        echo "$0 -d - removes previously created run"

        echo "$0 -? | --help - display this"

        exit

        ;;

    esac

    $_TW_BIN/tw_query --no-headings --passwordfile=$_PASSWORD_FILE "SEARCH DiscoveryAccess where (end_state = 'DeviceIdentified' or end_state = 'GoodAccess') and endpoint matches '^\d+\.1(2[8-9]|[3-8][0-9]|9[0-1])' show endpoint" | sort -u > $_IP_FILE

    if [ -n $_SCAN_ID ]; then

        $_TW_BIN/tw_scan_control --passwordfile=$_PASSWORD_FILE --daily --start-time=22:00 --no-end-time --label="$_LBL" --scan-level="$_LEVEL" --company="$_COMPANY" --update $_SCAN_ID --file $_IP_FILE >> $_TW_LOG/${0##*/}.log 2>&1

    else

        $_TW_BIN/tw_scan_control --passwordfile=$_PASSWORD_FILE --daily --start-time=22:00 --no-end-time --label="$_LBL" --scan-level="$_LEVEL" --company="$_COMPANY" --add --file $_IP_FILE >> $_TW_LOG/${0##*/}.log 2>&1

    fi

    echo "$(date) $0 ended" >> $_TW_LOG/${0##*/}.log

    > /usr/tideway/ScanScheduler is just an example

    > I use both end states (DeviceIdentified and GoodAccess) to be sure that new IPs, that were scanned directly, are "automatically" added through this script, too

    > The script output is written to "default logpath/scriptname" and in fact of this, it is visible through the frontend

    > Customize the red text to fit your needs! For me it was every IP from *.128-191.*.*

     

    Create the ScanScheduler.cron file and add it to the cron scheduler

    Create the file /usr/tideway/etc/cron/ScanScheduler.cron and paste the following lines to it:

     

    # daily run of the scan scheduler

    50 19 * * * /usr/tideway/ScanScheduler

    Run tw_cron_update to make sure that it's added to the cron scheduler

    • tw_cron_update

     

    Enjoy!

    Well ... just enjoy it!

    I'd kindly appreciate any feedback, enhancement etc.

     

    Regards,

    Patrick