I feel like this a fairly basic question or issue so apologies there. When I ask the R7 Platform to “Scan Now” an asset, it will scan the machine based on its IP address and not its hostname. If the platform has not updated its IP address, it will scan a completely different machine. I know I can isolate that asset to its own site, but barring that, is there a better fix for this?
I’m guessing this could be an issue with agent communication; however, I’d also like to know why the engine decides to do a lookup of the IP address and not the hostname. Is there some decision there that I’m missing? You can see this occur if you download the scan logs and look for the [version#].scan.0.log file.
What is the issue that you are trying to fix? The platform doesn’t know that asset’s current IP address, it only knows the IP that it last checked into the platform with. For single asset scans, as you alluded to, it is typically recommended to put these in a separate site for one-off scans.
If this is an issue that you are seeing often you can always increase how often the agent checks in to your platform.
When I click “Scan Now” on an asset’s page on the IVM platform or ask for a site to get scanned, I’d like for that/those asset(s) to actually get scanned.
I know that the platform holds the old IP address; but if I’m asking an asset to be scanned, I’m identifying it by name and would like the scan assistant or engine to do the same. I checked the logs and it looks like it does a reverse lookup using the outdated IP address that is on the platform. This then gives the engine the hostname currently associated with that IP address to scan. I can remove assets if they are stale but then have to wait for the agent to check back in. Assets I want to scan will get missed and assets I did not want results for will instead be hit by the scan. Why does the engine not do a lookup for the hostname and return the IP address?
I get what you mean, but if you think about it from a vulnerability perspective, hostnames are actually less reliable, so therefore the scan engine needs a concrete piece of evidence to work off of to gather vuln data. Meaning hostnames are not the scan target, instead the IP is.
That may not be the official answer Rapid7 support would give you (which, you should raise a ticket on this issue and they may be able to help), but that is the way I see the situation.