[new processor idea] MAC vendor / OUI lookup

[andrewkroh]

Describe the enhancement:

Create a processor to enrich events containing MAC addresses with the associated vendor name.

processors
  - mac_vendor: # Or perhaps oui_lookup.
      field: source.mac
      target_field: source.Mac_vendor
      ignore_missing: true

Describe a specific use case for the enhancement or feature:

When reviewing network data, particularly DHCP, it can be useful to know the hardware vendor. It's another clue that can be used when trying to understand the behavior of a device.

Related info

• example lookup behavior - https://www.wireshark.org/tools/oui-lookup.html
• authoritative into - https://standards.ieee.org/faqs/regauth/
• oui data sources - https://gitlab.com/wireshark/wireshark/-/blob/18f47c198866dc87d91f2116d254838661192b6c/tools/make-manuf.py#L225-230
• It would be useful to identify these ranges as a "Locally Administered Address". Apple and other vendors use these ranges for randomized addresses. https://serverfault.com/questions/40712/what-range-of-mac-addresses-can-i-safely-use-for-my-virtual-machines
• possible implementation algorithm if using longest prefix matching - https://github.com/torvalds/linux/blob/0bb80ecc33a8fb5a682236443c1e740d5c917d1d/kernel/bpf/lpm_trie.c

[botelastic]

This issue doesn't have a Team:<team> label.

[vinit-chauhan]

Hey @andrewkroh - Yeah, this one seems like a good use case.
With a processor like this, we can also Validate a MAC, which would provide more clean data for many integrations.

Also, If we are enriching the MAC Address fields, shouldn't it be better if we do the processing on the ES side? Maybe the processor can go there so that this capability is not limited only to filebeat, or beats in general.

Also, maybe in the future, we can introduce a type in ES itself, just like IP.

[botelastic]

Hi!
We just realized that we haven't looked into this issue in a while. We're sorry!

We're labeling this issue as Stale to make it hit our filters and make sure we get back to it as soon as possible. In the meantime, it'd be extremely helpful if you could take a look at it as well and confirm its relevance. A simple comment with a nice emoji will be enough :+1.
Thank you for your contribution!