Generic selectors
Exact matches only
Search in title
Search in content
post
page
How can we help?
Print

Auxiliary Data

NP-View can import auxiliary data from third party systems to enrich and augment the analysis.  The data files listed below are supported and can be manually imported using drag and drop or through a shared network drive connector. We recommend importing configuration files first or at the same time as the auxiliary data files or a system error may occur. If auxiliary data is input after configuration files are processed, the auxiliary data will need to be added to existing custom views to display the data.

Hosts

Hosts can be identified from multiple sources including configuration files, network scan files, ARP tables and hostname files. Once network device configuration files have been imported, one can import additional files to add metadata to the workspace. A hostname file is a simple text file with two columns: IP address and hostname separate by a tab.

For example, I load a firewall into a workspace and create a single device custom view.

Notice that four hosts are unnamed and that one is not displaying.  Create a host file, hosts.txt, to enrich the information.

 

172.30.90.50    Alice
172.30.90.51    Bob
172.30.90.42    Wendy
172.30.91.80    Sam
172.30.91.81    Carl

 

Make sure any hosts added do not conflict with firewall interfaces or they will be merged into the firewall.

Save the host file and drag and drop the file into the workspace (or use the +Import Data function).

Click upload and the file will be imported into the workspace.

Once the file has processed, proceed to the “Manage Views” menu and select the view to which you wish to add host data.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Click the Auxiliary Data checkbox and then the “Save View” button.  The view will be regenerated with the data from the host file.

 

 

And the updated assets will be displayed in Asset inventory.

 

If for some reason a device has multiple names retrieved from multiple different file types, the additional names will be displayed in the Alias column.

organization table

 

Next, update the Host file again. In this scenario, we rename “Carl” to “Carly” and “Sam” to “Sammy”. The updated file is as follows:

172.30.90.50    Alice
172.30.90.51    Bob
172.30.90.42    Wendy
172.30.91.80    Sammy
172.30.91.81    Carly

 

Load the file into the workspace and the custom views were auxiliary data has been applied will be automatically updated.

Since host data can come from multiple sources, and that hosts can appear and disappear from the network on a regular basis, host data from auxiliary data files is treated as add and update only. Hosts cannot be deleted using auxiliary data files.

Network and vulnerability scanners

The output from network and vulnerability scanners can be imported into a workspace to add CVE information, hosts attributes and port information to the topology map. The supported scanners are: Nmap (nmap -oX), Rapid 7 Nexpose, and Tenable Nessus. One should save their report using the XML format to properly import into NP-View. The data extracted and imported depends on the scanner used and the data available on the the network.  Below is a list of data we look for upon import.

  • hostnames
  • addresses
  • interfaces
  • local interface ips
  • local interface names
  • mac
  • domains
  • parent
  • operating systems
  • vlan

For Nexpose, we support XML version 1.0.
For Nessus, we support XML version 1.0.
For Nmap, we support XML version 1.0.

Routes / route table dump (Netstat)

The command netstat -rn can provide a list of routes that can be parsed by NP-View. The output of the command show route on Cisco devices can also be parsed. It is important to name the files that include the output of those commands after the hostname of the device where the command was issued (for example: {hostname}.txt). This will enable NP-View to associate the route information with the proper device.

 

Process list (Netstat)

The output of the Netstat command on Windows and Linux can be saved to a text file and then imported into a workspace. Service information will be extracted from the Netstat file and displayed in the services section on the device menu panel.

Windows

Use netstat -abon > netstat.txt

Proto Local Address Foreign Address State PID
[LMS.exe]
TCP 127.0.0.1:49671 127.0.0.1:49670 ESTABLISHED 5260
[LMS.exe]
TCP 127.0.0.1:49966 127.0.0.1:49967 ESTABLISHED 17756
[atmgr.exe]
TCP 127.0.0.1:49973 127.0.0.1:49972 ESTABLISHED 17756
[atmgr.exe]
TCP 127.0.0.1:56477 127.0.0.1:80 ESTABLISHED 6264

 

Linux

Use netstat -at > netstat.txt

tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 ::1:631                 :::*                    LISTEN      -                   
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                   

 

Address Resolution Protocol (ARP)

ARP files can be used to add hosts as well as MAC addresses for the hosts.  The following formats are supported:

 

Cisco

Use show arp to export the ARP table.  The file format will be as follows:

<hostname># show arp
  outside 10.0.0.100 d867.da11.00c1 2
  inside 192.168.1.10 000c.295b.5aa2 21
  inside 192.168.1.12 000c.2933.561c 36
  inside 192.168.1.14 000c.2ee0.2b81 97

 

Cisco ARP Example

Using the data set from the Hosts example, a simple ARP table has been created in the Cisco format.

Distribution# show arp 
   inside 172.30.90.50 d867.da11.00c1 2 
   inside 172.30.90.51 000c.295b.5aa2 21 
   inside 172.30.90.42 000c.2933.561c 36 
   inside 172.30.91.80 000c.2ee0.2b81 97
   inside 172.30.91.81 000c.2ecc.2b82 95
Distribution#

 

Loading this data into the system will add the MAC addresses to each host which is visible in Asset inventory.

 

Windows

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

Interface: 192.168.86.29 --- 0x6
  Internet Address      Physical Address      Type
  192.168.86.1          88-3d-24-76-49-f2     dynamic   
  192.168.86.25         50-dc-e7-4b-13-40     dynamic   
  192.168.86.31         1c-fe-2b-30-78-e5     dynamic   
  192.168.86.33         8c-04-ba-8c-dc-4d     dynamic

 

Linux

Use arp -a > arp_table.txt to export the ARP table.  The file format will be:

? (172.18.0.3) at 02:42:ac:12:00:03 [ether] on br-d497989bc64d
? (192.168.135.200) at 00:0c:29:f6:47:bb [ether] on ens160
? (172.17.0.2) at <incomplete> on docker0
? (192.168.135.178) at 00:0c:29:f3:e2:6b [ether] on ens160

 

Forescout

Use show ip arp command to export the ARP table.  The file format will be:

switch[192.168.201.232] mac[308bb2e5c7c1] ip[192.168.201.232] report[1631283077]
switch[192.168.201.232] mac[6805ca1900cb] ip[192.168.201.14] report[1631283077]
switch[192.168.201.232] mac[c42456736c18] ip[192.168.201.254] report[1631283077]
switch[192.168.201.232] mac[00a0690bf67f] ip[192.168.201.250] report[1631283077]

 

Palo Alto

Use show arp all to export the ARP table.  The file format will be as follows:

maximum of entries supported : 2500
default timeout: 1800 seconds
total ARP entries in table : 3
total ARP entries shown : 3
status: s - static, c - complete, e - expiring, i - incomplete
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/1 192.0.2.10 00:0c:29:ac:30:19 ethernet1/1 c 295
ethernet1/2 198.51.100.10 00:0c:29:d7:67:09 ethernet1/2 c 1776
ethernet1/3 203.0.113.10 00:0c:29:b9:19:c9 ethernet1/3 c 1791

 

Previous Connectors
Table of Contents