Using Auto-Discovery to Auto-Populate Lilac

Lilac provides a very robust Auto-Discovery system which is powered by NMAP to provide a flexible way of discovering new devices on your network and adding them to your Lilac configuration. This is done by creating Auto-Discovery filters to Host Templates. When you execute an Auto-Discovery job, Lilac attempts to match any found devices against the filters you've setup against your host templates. If any filters have fit, that Host Template will be suggested for usage for that found device, based on the number of filters that it hit (it's probability). You can also assign a default template to devices in which no filters were found to match. The Auto-Discoverer also gives you complete control over which found devices you wish to import and to change what template should be assigned to it.

Prerequisites

In order to perform a successful Auto-Discovery, a few things must be in order beforehand. These are:

• Lilac must have enhanced privileges to NMAP to perform the required types of scans to fulfill a successful discovery. This is most commonly done using sudo. View Setting Up Sudo for Lilac for more information.
• There are no strict firewalls in place which may hinder a successful discovery.

Creating Filters

Auto-Discovery filters are assigned to Host Templates. In Lilac, a Host Template contains a complete definition for a host, including it's services, dependencies, escalations and group memberships. By assigning a template to a host, you bring in all of those definitions. By creating auto-discovery filters and attaching them to host templates, the steps required to add new devices to your Lilac configuration become trivial. Furthermore, filter rules are inheritable, therefore if a host template inherits from another template in which filters are defined for it, those filters are brought into the child template.

The list of filters for a host template is found under it's Auto-Discovery Filters section.

There are two types of filters for a host template. It's basic system filters and it's service filters. The basic system filters are modifying by choosing the edit link. You are then brought to the Generic Auto-Discovery filters modification page.

System Filters

Each of these filters are used to potentially match new devices to this template. These filters use PCRE Regular expressions to match against strings found by Lilac when finding devices. For example, if you wanted any host found within the 192.168.5.x class C network to match this template, you could provide this regular expression in the Address Filter: /192.168.1.\d/. Another example would be, if you wanted to have any device in which the operating system family was a form of Linux, you could provide the following expression in the Operating System Family Filter: /linux/i. The syntax for PCRE regular expressions can be found at:  Perl Regular Regular Expression Documentation.

Service Filters

When Lilac finds a device on your network, it also collects a list of open ports running on it and attempts to find further information regarding those open ports such as what type of service is running on it. When under the Auto-Discovery Filters section of a Host Template, you can add a new service filter to this host template. At a minimum, you need to provide what protocol the port should be under (TCP or UDP) as well as the port number. You can further refine the filter by specifying regular expressions to match against the name, product, version and any extra information the underlying NMAP scan finds about the port.

Creating the Auto-Discovery Job

You can access the Auto-Discovery by clicking on Tools at the top and choosing Auto-Discovery. The following screen appears:

Fill out the following fields and checkboxes to customize the export job.

• Job Name: A name for the auto-discovery job to differentiate it from other existing auto-discovery jobs.
• Job Description: A description for the auto-discovery job.
• NMAP Binary Location: The full path to the NMAP binary.
• Default Template if No Templates Match: If no filters were hit for a device when found, you can assign a default template to assign here, otherwise no template will be assigned to the new host.
• Target Specification: You must provide at least one target for Lilac to scan. Any target which matches the  Target Specification syntax for NMAP is supported. You can provide multiple targets by using the Add Target link.

Once filled out, click on Begin Auto-Discovery Job to start the discovery job and take you to the Job Details screen.

Monitoring the Discovery Job

The Job Details screen below shows statistics of the Discovery Job, it's status, and it's Job Log.

The Job Details pane shows when the Job started and how long it has ran for. It also shows it's current status. Once the job completes or fails, the Current Status will be updated. You can also choose to Restart the Job, Remove it from Lilac, or Return to the Auto-Discovery Menu to create a new Auto-Discovery Job or view other existing Jobs.

The Job Log pane shows the log for the Discovery Job. As the Discoverer runs, the Log gets updated to state it's progress. Any issues with the discovery job can be found here. There are paging controls at the bottom to navigate the log. The refresh button will refresh the Job Log pane with the latest Log data.

Completing the Auto-Discovery Job

Once the Discovery Job is complete, the Current Status will be updated and a Green success message will fade in to alert you of it's success. Clicking on the Green Status message will take you to the Auto-Discovery Results.

At this screen, you will be able to see the list of devices available for importing into your configuration as a result of discovery. General information regarding the hosts is listed, including the name the host will be given, it's description, what parent host it will belong to (if any), as well as the template which will be assigned to it.

If you want to modify any of the characteristics of any host, click on the Modify Details link to the right of the host entry. This will take you to the Device Details screen.

At this point, you can change the hostname and description of the device which will be added to Lilac. Or, you can change the template which will be assigned to it. A drop-down list of templates is given, along with the percentage match that this device matched against the template (percentage of filters hit by this device). If you modified any of the filters for your host templates and want Lilac to re-calculate matches, you can choose the Recalculate Template Matches to perform the matching process against this device. You can also view the list of services that the underlying NMAP scan found against this device. You can use this information to further create additional filters on your host templates to make it more flexible.

Once any changes are made and you are back to the Device List, you can check the box to the left of the devices you want to either import into Lilac, or drop from the list alltogether. If you want to import selected items, select the devices, then make sure that Import is selected, then click on Process. Lilac will import the devices into your configuration. If you want to drop any devices from this list, select the devices, then choose Remove as the action, then Process.

You do not have to manage this list all at once. You can import a few at a time. You can then close your browser, go somewhere else in Lilac, and then come back to the auto-discovery page to come back to this list and continue importing at your leisure.