Multiple Assets identifying under a single ip

Hey all,

I seem to have discovered in one of my asset groups that I have multiple assets tied to a single ip. Assets all have different hostnames, too. When looking at the asset page it has two different ip addresses listed.

Looking to understand this better. Would this be due to having multiple dynamic discovery sources enabled that is causing this duplication ?

Thanks.
Jake

If you hover over the Asset, and look at the bottom of the page, do they all show the same asset_id or different asset_id?

this sounds like a side effect of asset linking.

If the option to link assets across sites is disabled, Nexpose regards each asset as distinct from any other asset in any other site whether or not a given asset in another site is likely to be the same device.

For example, an asset named server1.example.com, with an IP address of 10.0.0.1 and a MAC address of 00:0a:95:9d:68:16 is part of one site called Boston and another site called PCI targets. Because this asset is in two different sites, it has two unique asset IDs, one for each site, and thus is regarded as two different entities.

Assets are considered matching if they have certain proprietary characteristics in common, such as host name, IP address, and MAC address.

If the option to link assets across sites is enabled, Nexpose determines whether assets in different sites match, and if they do, treats the assets that match each other as a single entity

https://docs.rapid7.com/nexpose/linking-assets-across-sites/

I noticed that the rapid7 agent UUID was unique from multiple entries. Assuming this is a side effect of having assets span across multiple sites. Perhaps asset linking in my scenario is not ideal.

Asset Linking is essentially cross site correlation. So if it were to be disabled, any assets that are in multiple sites would count as additional assets towards the license. Disabling it is generally more geared towards MSSPs that need a more complete separation of data.

When we correlate, we correlate in the following order, Agent ID/Unique ID then Hostname then Mac Address and finally IP address. Hope this helps!

1 Like

Could you please validate this internally? According to our understanding, it is in the following order:

  • first Uniqueness (+ incuding VMID when no clear match)
  • then IP, HOST, and MAC, having their unique weight, but part of a simple addition, defining the actual level of correlation.

I am 100% sure that IP address is the least likely thing to correlate on. If we did dynamic DHCP environments would cause asset correlation havoc.