Create and use OUI vendor mapping

[henrywallace]

OUI (Organizationally Unique Identifier) vendor information [1][6][9][11] is very useful for getting a rough picture on who a host is. For example, you could figure out that a request was from a Motorola device, just by inspecting the ethernet frame! In canonical format, this is just the first 3 octets of a MAC address. While yeah, MAC spoofing is a thing, it's generally useful.

As a high level goals, we want the following:

• A permissively licensed dataset of OUI -> vendor name/description.
• A dataset that is not old, and gets updates often as much as to be useful.
• Create a generated go file with this mapping, and use when describing tracked hosts.

Wireshark provides a dataset here [2][7], but it's unfortunately not permissively licensed. And it's cited as being better than the official sources described below [10]. Wireshark also usually displays host shorthand like ShortVendorNa_f:ff:ff, which may be useful to inspire changes to Host.String method. It also provide some pointers to some other sources:

• http://standards-oui.ieee.org/oui/oui.csv
• http://standards-oui.ieee.org/cid/cid.csv
• http://standards-oui.ieee.org/iab/iab.csv
• http://standards-oui.ieee.org/oui28/mam.csv
• http://standards-oui.ieee.org/oui36/oui36.csv
• http://www.cavebear.com/archive/cavebear/Ethernet/Ethernet.txt

In particular, the IEEE has their main official OUI dataset here [3], though I'm struggling to find a license for it. And linuxnet.ca provides a sanitized version of it [4], but also provides no license. Some other options to look into are [5][8][13][14], and nmap's [12][10].

I've contacted several of the stated authors for all these datasets for license clarifications.

In terms of the mechanics:

• [ ] Find/pick a good dataset.
• [ ] Create a watch/scripts/ directory, with:
  • [ ] Create a shell script that downloads a fresh copy of the dataset
  • [ ] And then call a new python script that parses it and create go code
  • [ ] Add a //go:generate to the watch/watcher.go file that calls the script. Make sure that the generated go file is go fmt'd.
• [ ] Update Host.String to use Vendor name
• [ ] Update template variables to provide access to Vendor name for trigger config

[1] https://en.wikipedia.org/wiki/Organizationally_unique_identifier [2] https://code.wireshark.org/review/gitweb?p=wireshark.git;a=blob_plain;f=manuf [3] http://standards-oui.ieee.org/oui.txt [4] https://linuxnet.ca/ieee/oui/#Downloads [5] http://deepmac.org/ [6] https://superuser.com/a/1120181/577047 [7] https://www.wireshark.org/tools/oui-lookup.html [8] https://data.world/cgivre/mac-address-manufacturers [9] https://standards.ieee.org/products-services/regauth/oui/index.html [10] https://serverfault.com/a/384591/430816 [11] http://standards.ieee.org/faqs/OUI.html [12] https://svn.nmap.org/nmap/nmap-mac-prefixes [13] http://www.bgplookingglass.com/mac-address-vendor-lookup [14] https://fingerbank.org/

[henrywallace]

Unfortunately, after contacting IEEE, while it is updated daily, has no license and thus cannot be used:

There is no license available for public information. We do not authorize or support third party lookup tools that use information obtained from a public listing that is maintained containing assignments issued by IEEE.

Which is a bummer, since it precludes any static assets. This also raises into question how any other tools use the dataset. Or how any other datasets exist which seemingly all derive from IEEE.

Another tack that could be taken here is to have the user optionally link to a downloaded dataset, which would not distribute it. But that's quite inconvenient.