Identical assets in inventory

Why are there so many identical assets in my inventory?

Some enterprise routers and firewalls, like Cisco ASA devices, are designed to reply to all unexpected attempts on a particular port with a TCP reset (RST). On top of that, some routers listen to SIP traffic on all addresses and automatically respond to it.

runZero will generally detect when a router or firewall is replying to every connection attempt and avoid creating assets based on those responses. However, if you have a network appliance that runZero doesn’t detect is spoofing response, there may be a substantial number of identical assets that will appear in your inventory.

Here are a few workarounds if you can’t prevent your device from replying to all connections:

  • Exclude the ports the device responds to from the scan configuration.
  • Exclude all or part of the router’s IP address range from the scan.
  • Create a post-scan rule to delete any assets within the subnet that have the affected ports open.

These systems will respond to all requests on 1720/tcp and often 5060/tcp as well. runZero tries to automatically detect and avoid most of the SIP helper implementations, but can’t always do so without possibly losing real results. If you need help deleting unwanted records, please contact our support team.