Showing results for 
Show  only  | Search instead for 
Did you mean: 

Storage of asset vulnerability data where two scanned hosts have the same IP address


Forgive the longwinded question, I am looking to confirm my understanding of certain concepts!

Quick question with regards to the storage of vulnerability information against assets.  I am presented with the following scenario:

Target Host A, IP = for arguments sake, in London
Target Host B, IP = for arguments sake, in Edinburgh

So, same IPs for both hosts, but I will stress that they are different hosts.  I now bring in two scan engines:

Scan Engine A = routing to routes to Target Host A (for arguments sake, local network)
Scan Engine B = routing to routes to Target Host B (for arguments sake, local network)

Under the main Organisation, there are two workgroups, workgroup A and workgroup B.  In the workgroup properties, Workgroup A has Scan Engine A (and only this scan engine) assigned.  Likewise, Workgroup B has Scan Engine B (and only this scan engine assigned).

The following vulnerability scans are configured:

VulnScan A = configured under workgroup A, and carries out scan against
VulnScan B = configured under workgroup B, and carries out scan against

MVM query - net diagram.jpg

In the above scenario (example diagram above), if both scans complete, and I generate the *scan* reports - I believe I will get the correct information related to the vulnerabilities on each host, as the reports are based on the scan.  However, if I run an *asset* report (assuming 'use most recent data' option is selected), I am assuming that the vulnerability data returned in this report will be that of the last scan to complete. 

Or... will the default asset identification rules result in two assets in the foundstone database:
- ePO UID = n/a as assume hosts are not managed by ePO
- FS Asset ID = n/a as assume asset tagging is not used
- MAC address = applicable?  Side question - how does the scanner pick up on the MAC address of the target?  If it is on the same network as the scanner, that is easy - but if it is not, is it possible to get the MAC as the result of a FASL script (perhaps a simple registry check?)

So I suppose if the MAC addresses are known, the Foundstone database will have 2 distinct assets, but both with the same IP address (default asset identification rules do not match on IP).

To explain my reasoning behind this, I am looking at the above scenario, and am also looking to pull the data using an Arcsight connector.  I need to know that when the data is pulled down, Arcsight recognises that we have two separate assets here.

Any help appreciated as always!

2 Replies

Re: Storage of asset vulnerability data where two scanned hosts have the same IP address

All interesting quetions, we have had similar scenarios but created a seperate Organization rather than Workgroup to differentiate between the two networks.  This does successfully create a seperate asset record for the same IP address.  Also, it would depend on your asset identification rules as you've pointed out; both servers would likely have different hostnames (NBName) and if this is set as a higher priority the logic should create different assets.  Have you tested out any of your assumptions? If so, please post the results as I'm sure others would be interested to read.

Regarding MAC address enumeration, yes ARP would be the first technique used to resolve this.  However if the target IP address is not on the same LAN, looks as though the scanner issues a nbstat -a <remoteIP> command.  Of course this would only resolve information if your target has NetBIOS over TCP/IP enabled.  Notice that you only ever get MAC addresses for Windows devices which are not on the same LAN as the scanner? There may be some additional logic to obtain this such as checking a registry, however I have yet to observed that behaviour.

Hope some of this helps!


Re: Storage of asset vulnerability data where two scanned hosts have the same IP address


Sorry I had missed the notification on this!  I will be testing some of this, it is just a reasonable way down my to-do list at present...  Darn good point on the nbstat! 

I agree with the separation via Orgs, and indeed that is the way I would approach the above, however the current implementation I have been passed has implemented via Workgroups - doesnt sit well in my head, but at least it got me to thinking of the above - all a good learning process 🙂


You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community