Understanding Assets

Rumble treats assets as unique network entities from the perspective of the system running the agent. An asset may have multiple IP addresses, MAC addresses, and hostnames and it may move around the network as these attributes are updated. Rumble tries hard to follow assets by correlating new scan data with the existing inventory, using multiple attributes.

An asset is always associated with a single site. If the same system happens to be covered by multiple sites, these will be treated as different assets, and will only be correlated against assets within their respective site. This separation by site allows the same network to be scanned from multiple perspectives and compared in a single view within the organization.

After each scan, all assets within the corresponding site are updated. If a system is identified that doesn’t match an existing asset, a new asset will be created. If an asset is part of the site and it is not found during a scan, it will be marked as offline. If an asset is not correlated, due to substantial changes to the fingerprint (for example, a new network adapter was installed and the firewall was enabled), the previous asset will be marked as offline, and a new asset will be created to track the new configuration. This can lead to some level of duplication within a site, but these duplicates are usually marked as offline, and can be safely ignored or removed from the inventory by hand.

Asset Fields

Addresses

Rumble will report at least one and often multiple IP addresses for a given asset. These addresses can encompass multiple network interfaces but will only be displayed as a primary address if that address was within the scan scope used to detect it.

Secondary Addresses

Rumble may report one or more secondary addresses, based on network response probes. These are IP addresses that were detected on the asset but were not within the scan scope. Secondary address detection is critical when trying to identify systems that bridge networks that should be isolated.

Names

Rumble may report one or more hostnames. These names can be obtained from the initial DNS lookup (when hostnames are provided in the scan scope), from DNS PTR lookups during the scan, and by extracting names advertised within network probe responses.

Operating System

Rumble attempts to fingerprint, and failing that, guess at the operating system running on each asset. If limited information is available, this field may be empty.

Type

Rumble attempts to determine the general device type through analysis of fingerprints and running services.

Hardware

Rumble attempts to determine the physical (or virtual) hardware if enough information is present.

MAC Addresses

Rumble may be able to enumerate one or more MAC addresses from the asset. MAC addresses are pulled from ARP if available, but also several network services that can return MAC address information across routed segments.

Services

Rumble tries to detect approximately 100 TCP services by default, along with several useful UDP services. These services are in addition to ARP and ICMP. The services field contains a list of the most recently recorded services for the asset.

Round Trip Time

Rumble records the amount of time certain probes take in order to get a rough sense of the latency between the agent and the asset.

Detected By

Rumble records which probe was used to identify an asset. For assets that are on remote subnets and have firewalls in place, this field indicates what service was used to obtain a response.

Alive Status

Rumble tracks whether a given asset was found during the most recent scan where its site was in scope. If the asset was not found, it will be marked as offline until a following scan detects it again.

First Seen

Rumble tracks the initial timestamp when an asset was first identified.

Last Seen

Rumble tracks the last timestamp when an asset responded to a probe during a scan.