6 Replies Latest reply: May 29, 2013 11:17 AM by Dave Breslin RSS

Unexpected results in IP Summary view

cgriebel

In the IP Summary view I'm seeing duplicated IPs - one with associated DNS name and the other with blank DNS name.  Is that normal/expected behavior?  It incorrectly inflates the number of IPs.

 

Here's an example of what I see in the SC4.6.2 interface.  The IP count here would be 7 IPs when there are actually only 5.

 

 

IP AddressDNS
192.168.12.12foo12.bar.org
192.168.12.13foo13.bar.org
192.168.12.14
192.168.12.14foo14.bar.org
192.168.12.15foo15.bar.org
192.168.12.16
192.168.12.16foo16.bar.org
  • Re: Unexpected results in IP Summary view
    Dave Breslin

    Hey,

     

    Are you using multiple repositories and are the duplicated IPs located in different repositories?

     

    Regards,

     

    Dave

    • Re: Unexpected results in IP Summary view
      cgriebel

      Great question.  I should have mentioned that we do have multiple repositories for this Org but I'm filtered on one of them and still seeing the duplicates.

       

      Chock

      • Re: Unexpected results in IP Summary view
        Dave Breslin

        Hey Chock,

         

        I am going to try and recreate it by playing around with DNS in my lab. What version of Nessus are you using?

         

        When you are using the IP summary in the cumulative view and click on an IP it brings up the host detail - for the two identical IPs like 192.168.12.14 does it look like the same host detail is displayed or are they different (Mac Address if its there, OS, Last Scan etc).

         

        Regards,

         

        Dave

        • Re: Unexpected results in IP Summary view
          cgriebel

          No MAC address showing for IPs in this org.  This is an organization that we use for compliance scanning.  We have only a handful of "active" plugins enabled and apparently we not the one that records MAC address (33276?).  Could it be that we missed enabling some active plugins that are required for compliance scanning?

           

          Btw, I'm looking in our active org and not seeing duplicates for these IPs - and we happen to not have MAC address for them there either (we don't do credentialed scans of these particular devices).

           

          I'm wondering if it's because at one point in time the scanner couldn't resolve the IP to name but later it could.  Possibly we didn't have PTR records in DNS originally - I don't know for sure.  Anyway, a subsequent scan was able to resolve IP to name and since then ip/no_name and ip/name are treated as separate devices/IPs in the IP summary view.

           

          Scanners are 5.0.1, 5.0.2 and 5.0.3

           

          Chock

          • Re: Unexpected results in IP Summary view
            Dave Breslin

            Hey Chock,

             

            Thanks for the info. I know for a fact in the past I've manipulated DNS to add forward and reverse lookup records for IPs I already scanned and the end result was not what you are seeing, duplicates.

             

            The first thing I have tried was some multiple zone scanning, just in case you had used zone scanning, but all was good, no duplicates. I hadn't done zone scanning for a long time and in previous versions of SecurityCenter when we didn't have multiple repositories you had an extra designation of the zone for the IP - I just checked to ensure it wasn't a left over from those days, but all was good. And from your feedback it doesn't look like you used multiple zone scanning (scanning from different network locations to the same targets to look at different points of view in regards to risk/vulns).

             

            Regards,

             

            Dave

            • Re: Unexpected results in IP Summary view
              Dave Breslin

              Hey Chock,

               

              I did some testing with compliance checks, first without an entry for a host in DNS, and then with one and haven't recreated the problem. I don't want to delay you on finding an answer so I would suggest ensuring you have a ticket open with Tenable Support. However, if you want to export (download) a scan policy (not scan results) from SecurityCenter you are using for compliance scanning I'll run that through the same set of tests (nav761 @ icloud . com). Perhaps your intuition is correct on the scan policy and certain plugins being enabled/disabled creating some unique condition I can't recreate.

               

              Regards,

               

              Dave