Alert Logic® uses discovery scanning to identify hosts and other assets in data center deployments, where no other data sources like cloud APIs provide asset information. When a physical or virtual Alert Logic appliance is installed in a data center deployment, the appliance will periodically scan the local network using discovery scans. If multiple network address blocks (CIDR ranges) are associated with the network, each block will be scanned separately. The scheduling of discovery scans can be configured in the Deployments > Configuration section of the Alert Logic console.
During a discovery scan, the following steps are taken for each individual address in each network block:
- An ICMP echo (ping) request is sent. If an answer is not received on the first attempt, another ICMP ping is sent.
- An ICMP timestamp request is sent.
- A “TCP ping” is sent to 22 commonly used TCP ports (21, 22, 23, 25, 53, 80, 110, 111, 135, 139, 143, 443, 445, 993, 995, 1723, 3306, 3389, 5900, 8080, 8400, 49154). TCP pings use a deviation of the TCP standard three-way handshake to determine if a machine responds. This method sends an unsolicited TCP Synchronize (TCP SYN) to the specified port. If an active machine is listening on this port, it should send back a reset to the unsolicited request.
- The 12 most common UDP ports are tested for response (ports 53, 69, 111, 123, 137, 138, 161, 177, 445, 500, 1900, 4500).
Note: Responses from an IP address that actively indicate a closed port are used as evidence of a live host.