Hey all,
I seem to have discovered in one of my asset groups that I have multiple assets tied to a single ip. Assets all have different hostnames, too. When looking at the asset page it has two different ip addresses listed.
Looking to understand this better. Would this be due to having multiple dynamic discovery sources enabled that is causing this duplication ?
Thanks.
Jake
If you hover over the Asset, and look at the bottom of the page, do they all show the same asset_id or different asset_id?
this sounds like a side effect of asset linking.
If the option to link assets across sites is disabled, Nexpose regards each asset as distinct from any other asset in any other site whether or not a given asset in another site is likely to be the same device.
For example, an asset named server1.example.com, with an IP address of 10.0.0.1 and a MAC address of 00:0a:95:9d:68:16 is part of one site called Boston and another site called PCI targets. Because this asset is in two different sites, it has two unique asset IDs, one for each site, and thus is regarded as two different entities.
Assets are considered matching if they have certain proprietary characteristics in common, such as host name, IP address, and MAC address.
If the option to link assets across sites is enabled, Nexpose determines whether assets in different sites match, and if they do, treats the assets that match each other as a single entity
https://docs.rapid7.com/nexpose/linking-assets-across-sites/
I noticed that the rapid7 agent UUID was unique from multiple entries. Assuming this is a side effect of having assets span across multiple sites. Perhaps asset linking in my scenario is not ideal.
Asset Linking is essentially cross site correlation. So if it were to be disabled, any assets that are in multiple sites would count as additional assets towards the license. Disabling it is generally more geared towards MSSPs that need a more complete separation of data.
When we correlate, we correlate in the following order, Agent ID/Unique ID then Hostname then Mac Address and finally IP address. Hope this helps!
Could you please validate this internally? According to our understanding, it is in the following order:
I am 100% sure that IP address is the least likely thing to correlate on. If we did dynamic DHCP environments would cause asset correlation havoc.
Hi
We use asset linking and the fact that R7 links by IP alone it is causing havoc as you suggested.
We have multiple sites that are not wan connected and some have the same IP address range so linking by IP is causing serious issues. Even when R7 recognizes that they have different6 OS, it still links them and identifies them as the same asset which they could never be.