项目作者: hosom

项目描述 :
Add an OUI lookup to Bro IDS.
高级语言: Bro
项目地址: git://github.com/hosom/bro-oui.git
创建时间: 2018-11-09T17:38:21Z
项目社区:https://github.com/hosom/bro-oui

开源协议:BSD 3-Clause "New" or "Revised" License

下载


OUI

This module adds an OUI lookup to Bro IDS. Additionally, it comes with a script to maintain a Bro input file containing OUI data pulled from IEEE.

Performing an OUI Lookup

  1. ##! This script extends dhcp.log to include the manufacturer that a
  2. ##! mac address is associated with as the client_vendor field.
  3. module OUI;
  4. export {
  5. ## DHCP::Info is owned by the DHCP module and is the record that
  6. ## is logged when the DHCP module logs
  7. redef record DHCP::Info += {
  8. ## client_vendor is the manufacturer identified by the OUI
  9. client_vendor: string &log &optional;
  10. };
  11. }
  12. # DHCP::aggregate_msgs is used to distribute data around clusters.
  13. # In this case, this event is used to extend the DHCP logs.
  14. event DHCP::aggregate_msgs(ts: time, id: conn_id, uid: string,
  15. is_orig: bool, msg: DHCP::Msg, options: DHCP::Options)
  16. {
  17. local vendor = lookup_oui(msg$chaddr);
  18. DHCP::log_info$client_vendor = vendor;
  19. }

Updating the OUI Data File

To update the OUI data file, run the included oui.py script and specify the path of the existing oui.dat file.

  1. usage: oui.py [-h] path
  2. Download and parse a listing of Organizationally unique identifiers, then
  3. export the listing as a Bro input file. This can then be used with the OUI
  4. module to allow for OUI lookups in Bro.
  5. positional arguments:
  6. path Where to place the exported input file.
  7. optional arguments:
  8. -h, --help show this help message and exit

A Note on oui.dat

Local modifications to oui.dat will be overwritten by updates of this plugin. Additionally, by running oui.py, the entire oui.dat file will be overwritten. This file is not meant to contain local modifications.