Duplicate assets in AWS

geoff_galitz · October 13, 2020, 12:39pm

Hiya. In our InsightVM / Nexpose console we have a site with an AWS discovery connection. Assets are being created properly, however we see duplicates created over time.

The correct asset record has the internal DNS name of the instance and scan data, but no meta-data. The duplicate record has only the ec2 metadata but no scan data, no details (e.g. MAC address) and no DNS name, only the IP and ec2 default name (e.g. ip-xx-xx-xx-xx.ec2.internal)

Support so far has been unable to solve this. Our DNS resolvers are consistent across all scan engines and the console.

Has anyone else run into this and maybe resolved it?

holly_wilsey · October 14, 2020, 9:40pm

I checked with the team on this and we’ve actually identified the duplicate AWS assets issue as a known issue within the product. We’ve got a ticket in for it and are planning to implement a fix in the coming months.

geoff_galitz · October 15, 2020, 9:50am

Ok dokie… thanks for the follow up!

ephrem_ocansey · January 4, 2021, 10:01pm

Hi Holly,
please what about this problme.
I still deal with it.
Thanks and Happy New year.

holly_wilsey · January 5, 2021, 8:18pm

I double checked and the team is actively working on a fix for this. My understanding is that the best way around this for now is to ensure you’re running authenticated scans. This will resolve the AWS/agent unique ID’s and allow for correlation. If that’s not possible, then the fix we’re working on can further help.

ktwingstrom_ktwingstrom · January 12, 2021, 5:06pm

Is your problem showing multiple assets all with the same Unique Identifier from the agent on the AWS instances but all with different vulns? That’s what we’re experiencing in our environment. It sounds related but similar, I wanted to verify.

ephrem_ocansey · January 14, 2021, 10:49am

Hi,
it isn’t the same problem but your problem seem to be Asset correlation issue.
you must set asset correlation on and configure your scan template to Allows the Insight Agent to respond to the Rapid7 Scan Engine on UDP Port 31400 with the asset UUID to ensure proper asset correlation.

ktwingstrom_ktwingstrom · January 14, 2021, 3:26pm

I checked out settings and asset correlation is ON on the agents, and our template is using common ports and it’s also specifically got 34100 listed in the additional UDP ports section. Still getting multiple asset copies like I mentioned. Any other ideas?

ephrem_ocansey · January 17, 2021, 8:37am

Sorry, no other idea.

jake_sturk · February 18, 2021, 6:58pm

port 31400*

hayden_poff · February 19, 2021, 10:44pm

@geoff_galitz, here is a simple SQL query my team and I came up with to assist us with duplicates. We have this scheduled to run as a daily report. You still have to find search out the asset and remove the oldest one, however it works pretty well regardless. We run this against our “Rapid 7 Agent” Site, but you can run it against any/all sites if you wish. Hope this helps!

SELECT DISTINCT UPPER(da.host_name) AS Host_Name, count(*) AS Duplicates
FROM dim_asset da 
GROUP BY da.host_name
HAVING count(*) > 1

justin_baker · March 2, 2022, 4:42pm

Hello Holly, do you know if the fix the team was working on has been completed? I believe I’m having similar issues. Thanks!

aaustin.palmer · May 13, 2022, 1:25pm

Still running into this issue. Any fix ?

pelolu · April 6, 2023, 11:23am

Same here. This is leading to bad reporting. Anyone tried the asset correlation option and confirm it works.