Auxiliary Data
NP-View can import auxiliary data from third party systems to enrich and augment the analysis. The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to a new or existing custom view(s) to display the data.
Hosts
Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.
Aux Data Loading Example
This example applies to the loading of any Aux data file but is specific to creating and loading a host file.
First, load a firewall into a workspace and create a custom view with the firewall.
Notice that four hosts are not named. Next, create a host file, hosts.txt, to enrich the information. The host file will add a name tied to each of the hosts and also includes hosts not currently displayed.
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sam
172.30.91.81 Carl
Make sure any hosts added to the file do not conflict with firewall interfaces or they will be merged into the firewall.
Save the host file, drag and drop the file into the workspace (or use the +Import Data function).
Click upload and the file will be imported into the workspace.
Once the file has been uploaded, it will parse in a similar fashion to config files.
Once processed, proceed to the “Manage Views” menu and select a new or existing view to add host data. Click the Auxiliary Data checkbox and then the “Save View” button. The view will be regenerated with the data from the host file.
The updated assets will be displayed on the topology and in Asset inventory.
If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column.
Next, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:
172.30.90.50 Alice
172.30.90.51 Bob
172.30.90.42 Wendy
172.30.91.80 Sammy
172.30.91.81 Carly
Load the file into the workspace and the custom views where auxiliary data has been applied. This will update the workspace.
Host data can come from multiple sources, also hosts can appear and disappear from the network. Host data is treated as replacement data for adding and deleting hosts over time.
Network and vulnerability scanners
The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts, attributes, and port information to the topology map. We support version 1.0 <?xml version=”1.0″ ?> of the below scanners:
- Nmap – Use command
nmap -oX - Rapid 7 Nexpose,
- Tenable Nessus – Export the .nessus scan in XML format.
When exporting the report, it should be saved using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the network. Below is a list of data NP-View attempts to import.
- hostnames
- addresses
- interfaces
- local interface IP’s
- local interface names
- mac
- domains
- parent
- operating systems
- vlan
Process list – Netstat
The output of the Netstat command on Windows and Linux can be saved to a text file then imported into a workspace. Service information will be extracted from the Netstat file and displayed in the services section on the device menu panel.
Windows
Use netstat -abon > netstat.txt
Proto Local Address Foreign Address State PID [LMS.exe] TCP 127.0.0.1:49671 127.0.0.1:49670 ESTABLISHED 5260 [LMS.exe] TCP 127.0.0.1:49966 127.0.0.1:49967 ESTABLISHED 17756 [atmgr.exe] TCP 127.0.0.1:49973 127.0.0.1:49972 ESTABLISHED 17756 [atmgr.exe] TCP 127.0.0.1:56477 127.0.0.1:80 ESTABLISHED 6264
Linux
Use netstat -at > netstat.txt
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN - tcp6 0 0 ::1:631 :::* LISTEN - udp 0 0 127.0.0.53:53 0.0.0.0:* -
Address Resolution Protocol (ARP)
ARP files can be used to add hosts as well as MAC addresses for the hosts. The following formats are supported:
Cisco
Use show arp to export the ARP table. The file format will be as follows:
<hostname># show arp outside 10.0.0.100 d867.da11.00c1 2 inside 192.168.1.10 000c.295b.5aa2 21 inside 192.168.1.12 000c.2933.561c 36 inside 192.168.1.14 000c.2ee0.2b81 97
Cisco ARP Example
Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.
Distribution# show arp inside 172.30.90.50 d867.da11.00c1 2 inside 172.30.90.51 000c.295b.5aa2 21 inside 172.30.90.42 000c.2933.561c 36 inside 172.30.91.80 000c.2ee0.2b81 97 inside 172.30.91.81 000c.2ecc.2b82 95 Distribution#
Loading this data into NP-View will add the MAC addresses to each host which is visible in Asset inventory.
Windows
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
Interface: 192.168.86.29 --- 0x6 Internet Address Physical Address Type 192.168.86.1 88-3d-24-76-49-f2 dynamic 192.168.86.25 50-dc-e7-4b-13-40 dynamic 192.168.86.31 1c-fe-2b-30-78-e5 dynamic 192.168.86.33 8c-04-ba-8c-dc-4d dynamic
Linux
Use arp -a > arp_table.txt to export the ARP table. The file format will be:
? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d ? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160 ? (172.17.0.2) at <incomplete> on docker0 ? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160
Palo Alto
Use show arp all to export the ARP table. The file format will be:
maximum of entries supported : 2500 default timeout: 1800 seconds total ARP entries in table : 3 total ARP entries shown : 3 status: s - static, c - complete, e - expiring, i - incomplete interface ip address hw address port status ttl -------------------------------------------------------------------------------- ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295 ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776 ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791
Route Tables
Route files are a special case in that they provide ruleset-specific enrichment data whereas the other auxiliary files listed above provide topology-specific enrichment data.
Route table – Cisco
The output of the command show route on Cisco devices can be imported into NP-View with associated configuration files. For VRF’s, use the command show ip route vrf *. Cisco route files are handled a bit differently than the rest of the aux data as they are integrated upon import and are not considered as aux data when creating a view. Naming of the route files are not important as long as they are unique. The first row of the route file contains the <device name># command to link the route table with the correct device.
Route table – Netstat
The command netstat -rn provides a list of routes for a single node that can be imported into NP-View.
It is important to name the files that include the output of those commands after the node the command was executed on. For example, if the command was run on your local PC which has the network name of ‘engineering_workstation_1’ the Netstat file name should be engineering_workstation_1.txt).
This will enable NP-View to associate the route information with the proper device.
Claroty CDT
NP-View connects to the Claroty CTD (cloud or on premise) through the API. NP-View will extract the following fields of data and map them as endpoints in NP-View.
| Claroty | NP-View |
| name | Name |
| ipv4 | IP Address |
| vendor | OS |
| mac | MAC Address |
| protocol | Service |
