Eric Partington

Lua - Mapping MAC to Vendor (Logs/Netflow and Endpoint)

Blog Post created by Eric Partington Employee on May 2, 2018

Ethernet_oui.lua is a parser that has existed on the packet side for a while to map the MAC address from network events to the vendor information.  The ethernet_oui parser has recently been extended to work with Log events that write to eth.src/eth.dst and alias.mac as well as Netflow and NW Endpoint events.

Now when an event occurs that has a MAC address parsed out into the three meta keys mentioned above this parser looks at you get the matching vendor information for that NIC.

 

If you have Netflow records with MAC addresses in the events and the ethernet_oui parser is deployed to your log decoders/netflow decoder, you will now get eth.src.vendor and eth.dst.vendor meta registered (it will not be indexed by default but you can add to the index-concentrator-custom.xml).

 

The same goes for RSA NetWitness Endpoint Insights which provides information in alias.mac:

 

Outcomes