awick
commented
5 years ago This should already work if you just use /bitlen which seems to be the standard. So
AA:BB:CC:DD:EE:01/48 fake_company server1 AA:BB:CC:DD:EE:02/48 fake_company server2 AA:BB:CC:DD:EE:03/48 fake_company server3 AA:BB:CC:DD:EE:04/48 fake_company server4 AA:BB:CC:DD:EE:05/48 fake_company server5
Good afternoon to you all,
Currently, Moloch matches a MAC address to a OUI name by only reading the first 3 sets of hex characters and ignoring the rest. This creates a problem where if multiple servers share the same prefix (ex: AA:BB:CC) then every server will be assigned the name of the last server in that list (example to follow). Would it be possible to support full MAC address?
Example: Let's say I had the following to my OUI file:
AA:BB:CC:DD:EE:01 fake_company server1 AA:BB:CC:DD:EE:02 fake_company server2 AA:BB:CC:DD:EE:03 fake_company server3 AA:BB:CC:DD:EE:04 fake_company server4 AA:BB:CC:DD:EE:05 fake_company server5
Any traffic going through Moloch from those 5 servers will be matched as server5, because Moloch matches the last occurence (server5) of the first 3 sets of hex characters (AA:BB:CC).
If you need anymore information, please let me know.
Thanks in advance.
P.S. I know this is not what a OUI file is supposed to do, however I do not believe this would be harmful in any way.