There is something about hosts which I do not understand.
The manual says, starting in section 13.1:
During a scan, information about each scanned host is collected. The hosts are identified by their IP addresses.
For each identified host it is checked whether it already exists in the hosts assets. If not, a new host asset is created.
Both when scanning a newly created host and when scanning an existing host, several host details (host names, IP and MAC addresses, operating systems, SSH keys and X.509 certificates) are added to the host asset as identifiers.
I do not observe this behavior. There are many cases where I have multiple host records with the same IP address, but different scores and last scan dates. If I try to delete the duplicates, they disappear from the user interface immediately. In most cases they re-appear within a few seconds, though missing some information.
Is it normal for me to have multiple host records for the same IP address? I don’t understand how these are supposed to be managed.
I’m experiencing the same issue using the Community Containers. A few days ago I deleted all duplicate hosts from my Assets but with subsequent scans they start to reappear.
Greenbone support helped me with this. By default, the software does not function as described in the manual. There is a feature called “vhost expansion” which identifies hosts by their IP address combined with a hostname identified by a scanner test. The purpose of this is to distinguish between multiple hosts which may be accessed through a load balancer, proxy, or other virtual host setup.
Vhost expansion is a scanner configuration. It is found under “network vulnerability test families → scanner preference → expand_vhosts”.
