using dynamic host tracking to ensure accurate host trending for vulnerability management
TRANSCRIPT
DHCP
VPN
Complex Environments
A numeric identifier for hosts that appear in more than one scan session.
This number is the key to DHT
These are the numbers that decide how to
derive the one above
Every one of these settings is
tracked clearly in IP360 and SIH
reports whenever available
The categories below should look familiar to you
Make sure your values add up
Before choosing weights, review your
scan results
Information collected during the scan cycle is used to identify the
host
If information collected can be used to positively ID a host, it will
be used for matching
When data is collected well and DHT values are properly selected
interval reporting will show excellent results
Default set is 100 IP Address. All matches are formed on IP only.
You can choose one of
our preset defaults
here.
A custom set can
be inserted here
when Custom is
selected
Caution! All tracking data will be lost!!
2 or more criteria should add up to >58
If your hosts are static, your DHT should be too
Excellent choice for data
centers and other segments
where all hosts have static
IP addresses.
Any 2 of these
3 criteria will
add up to 59
and form a
match.
This is a good option for segments that are Windows only
DNS can form a match
with any additional
piece of criteria, or the
other 3 can override it.
For mixed environments where DNS information is regularly collected
The highest match combination takes precedence
NOT good!
Two or more
criteria should be
required to form a
match.
Custom values are ones you derive based on your knowledge of the network.
Validate your assumptions before setting these values
Values should be carefully selected based on research
Hostname field can be
populated with either
DNS or NetBIOS info.
OS Detection is
not too specific in
this example.
The first step to selecting good DHT values is understanding the composition of the network.
DHT is network specific.
Common
characteristics
Port
signature
is here.
Review a sampling of hosts in the network to be configured and not just one
If the answer to any of these questions is “Yes” you probably have a DHT issue.
Low host counts are often indicative of inappropriate matching.
This host appears multiple times
in the same network, therefore it
has multiple persistent host IDs.
This data only
represents 2
days worth of
audits…
Scoring over
time is erratic.
IP360 only shows 3 hosts in this
network…
There are 8
different IP
addresses
here.
Conclusion: Either this device
has multiple network interfaces,
or DHT is inappropriately
matching.
The XML3 test works for all versions of IP360
This information is available in other export
formats, but XML3 is the easiest to read.
These IP
addresses do not
match.
Both excerpts below are from the same XML3
document.
Persistent
hosts ID is the
same.
Network overlap is the enemy of DHT
IP360 must have sufficient privileges to get accurate,
consistent scan results
Hosts with generic hostnames will be difficult to match
correctly
Setting DHT to match on criteria that is generic or not
collected consistently
Overlapping networks are not your friend.
This host is already contained within that network.
DHT will match hosts within a network, but not across them.
Unauthenticated or underprivileged scans produce sparse results that can be difficult to match correctly on.
The low score and generic OS do not give DHT much to go on other than IP and hostname.
DNS and NetBIOS are very important criteria for matching
Multiple hosts with ‘Name not in DNS’ may mean these hosts are not
properly registered with the DNS server.
It can also mean a DNS server
has not been bound to the DP
monitoring that network.
If no DNS information is available, the hostname field is
populated with the NetBIOS name if it is known.
A perceived influx of unique hosts with their own data would cause
the database to swell.
Increased database sizes due to failed matching attempts can cause
slowness and other performance problems.
Since each incidence of the same host will be tracked as unique,
any timeframe or distinct audit report would list unmatched hosts
multiple times instead of once.
Multiple records for the
same hosts likely means it
is not being matched
consistently.
Focus reports can provide helpful information.
These host records are from 2 different XML3
exports.
Notice how all identifying
information is the same
except for Persistent Host
ID.
XML3 analysis can help to identify hosts that do not match as well.
One of the easiest ways to identify host matching issues is in the Security Intelligence Hub.
Configuration > Asset Groups
You must have appropriate privileges to view this screen.
Inconsistent DNS information makes it a poor match point.
OS
information is
relatively
good.
A good algorithm for this network would give OS and IP higher
weights, as well as NetBIOS.
Evaluation of matching performance would determine if an effort to assign DNS names was
warranted.
Majority of hosts respond to DNS
queries.
OS info is generic in most
cases, so not a good match
point.
High scores on most hosts
suggest port signature may be a
good match point
Strong, consistent DNS
information makes it an excellent
match point for this network that
could form a match paired with
pretty much any other piece of
criteria.
tripwire.com | @TripwireInc