-
Notifications
You must be signed in to change notification settings - Fork 0
/
Logstash_MAC_Address_DB_Create.ps1
105 lines (100 loc) · 4.53 KB
/
Logstash_MAC_Address_DB_Create.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
# This pwoershell script generates a CSV file that can be used with
# the translate logstash plugin to obtain MAC address OUI infromation
#
# The max prefix length I've observed is 9 characters long, and the ruby code is designed to iterate up to that, based on if anything is found
# Example Logstash filter configuration:
####
# mutate {
# id => "ECS - Mutate - Standardize MAC format"
# uppercase => ["[client][mac]","[destination][mac]","[host][mac]","[observer][mac]","[server][mac]","[source][mac]"]
# gsub => [
# "[client][mac]", "[-:]", "",
# "[destination][mac]", "[-:]", "",
# "[host][mac]", "[-:]","",
# "[observer][mac]", "[-:]", "",
# "[server][mac]", "[-:]", "",
# "[source][mac]", "[-:]", ""
# ]
# }
#
# if [source][mac] {
# ruby { code => "event.set('[source][mac_oui_hex]', event.get('[source][mac]')[0..5])" }
# if [source][mac_oui_hex] {
# translate {
# id => "Enrich - ECS - Translate - source.mac -> source.mac_oui #1"
# source => "[source][mac_oui_hex]"
# target => "[source][mac_oui]"
# dictionary_path => "C:\ELK\logstash\OUI_Merged.csv"
# override => true
# remove_field => "[source][mac_oui_hex]"
# fallback => "OUI Not Found"
# }
# }
#
# if [source][mac_oui] == "OUI Not Found" {
# ruby { code => "event.set('[source][mac_oui_hex]', event.get('[source][mac]')[0..6])" }
# if [source][mac_oui_hex] {
# translate {
# id => "Enrich - ECS - Translate - source.mac -> source.mac_oui #2"
# source => "[source][mac_oui_hex]"
# target => "[source][mac_oui]"
# dictionary_path => "C:\ELK\logstash\OUI_Merged.csv"
# override => true
# remove_field => "[source][mac_oui_hex]"
# fallback => "OUI Not Found"
# }
# }
# }
#
# if [source][mac_oui] == "OUI Not Found" {
# ruby { code => "event.set('[source][mac_oui_hex]', event.get('[source][mac]')[0..7])" }
# if [source][mac_oui_hex] {
# translate {
# id => "Enrich - ECS - Translate - source.mac -> source.mac_oui #3"
# source => "[source][mac_oui_hex]"
# target => "[source][mac_oui]"
# dictionary_path => "C:\ELK\logstash\macaddress.io-db.csv"
# override => true
# remove_field => "[source][mac_oui_hex]"
# fallback => "OUI Not Found"
# }
# }
# }
#
# if [source][mac_oui] == "OUI Not Found" {
# ruby { code => "event.set('[source][mac_oui_hex]', event.get('[source][mac]')[0..8])" }
# if [source][mac_oui_hex] {
# translate {
# id => "Enrich - ECS - Translate - source.mac -> source.mac_oui #4"
# source => "[source][mac_oui_hex]"
# target => "[source][mac_oui]"
# dictionary_path => "C:\ELK\logstash\macaddress.io-db.csv"
# override => true
# remove_field => "[source][mac_oui_hex]"
# fallback => "OUI Not Found"
# }
# }
# }
Invoke-WebRequest -URI 'https://standards-oui.ieee.org/oui/oui.csv' -OutFile "$HOME\Downloads\oui.csv"
$csv1 = import-csv $HOME\Downloads\oui.csv -Encoding utf8
Invoke-WebRequest -URI 'https://standards-oui.ieee.org/oui28/mam.csv' -OutFile "$HOME\Downloads\mam.csv"
$csv2 = import-csv $HOME\Downloads\mam.csv -Encoding utf8
Invoke-WebRequest -URI 'https://standards-oui.ieee.org/oui36/oui36.csv' -OutFile "$HOME\Downloads\oui36.csv"
$csv3 = import-csv $HOME\downloads\oui36.csv -Encoding utf8
Invoke-WebRequest -URI 'https://standards-oui.ieee.org/cid/cid.csv' -OutFile "$HOME\Downloads\cid.csv"
$csv4 = import-csv $HOME\Downloads\cid.csv -Encoding utf8
Invoke-WebRequest -URI 'https://standards-oui.ieee.org/iab/iab.csv' -OutFile "$HOME\Downloads\iab.csv"
$csv5 = import-csv $HOME\Downloads\iab.csv -Encoding utf8
$merged = $csv1 + $csv2 + $csv3 + $csv4 + $csv5
# Normalization; one limitation of \W is it included periods, so the org names look a little different
for ($i = 0; $i -lt $merged.count; $i++)
{
$merged[$i].'Organization Address' = ($merged[$i].'Organization Address' -Replace '[\W]',' ').trim()
$merged[$i].'Organization Name' = ($merged[$i].'Organization Name' -Replace '[\W]',' ').trim()
}
$merged | select-object Assignment,"Organization Name","Organization Address","Registry" | export-csv $HOME\Downloads\merged-OUI.csv -Encoding utf8 -QuoteFields "Organization Name","Organization Address"
Remove-Item -Path "$HOME\Downloads\oui.csv"
Remove-Item -Path "$HOME\Downloads\mam.csv"
Remove-Item -Path "$HOME\Downloads\oui36.csv"
Remove-Item -Path "$HOME\Downloads\cid.csv"
Remove-Item -Path "$HOME\Downloads\iab.csv"