-
Notifications
You must be signed in to change notification settings - Fork 330
/
mac_lookup.rb
110 lines (90 loc) · 2.79 KB
/
mac_lookup.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
def concurrency
:shared
end
def register(params)
@source = params["source"]
@target = params["target"]
if File.exist?(params["map_path"])
@macarray = Array.new
YAML.load(File.read(params["map_path"])).each do |mac|
@macarray.push([mac_string_to_integer(mac['low']), mac_string_to_integer(mac['high']), mac['name']])
end
# Array.bsearch only works on a sorted array
@macarray.sort_by! { |k| [k[0], k[1]]}
else
@macarray = nil
end
@macregex = Regexp.new(/\A([0-9a-fA-F]{2}[-:.]){5}([0-9a-fA-F]{2})\z/)
end
def filter(event)
_mac = event.get("#{@source}")
if _mac.nil? or @macarray.nil?
return [event]
end
_names = Array.new
case _mac
when String
if @macregex.match?(_mac)
_macint = mac_string_to_integer(_mac)
_vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
_names.push(_vendor[2]) unless _vendor.nil?
end
when Array
_mac.each do |_addr|
if @macregex.match?(_addr)
_macint = mac_string_to_integer(_addr)
_vendor = @macarray.bsearch{ |_vendormac| (_macint < _vendormac[0]) ? -1 : ((_macint > _vendormac[1]) ? 1 : 0)}
_names.push(_vendor[2]) unless _vendor.nil?
end
end
end
_names = _names.uniq
if _names.length > 1
event.set("#{@target}", _names)
elsif _names.length > 0
event.set("#{@target}", _names.first)
end
[event]
end
def mac_string_to_integer(string)
string.tr('.:-','').to_i(16)
end
###############################################################################
# tests
test "standard flow" do
parameters do
{ "source" => "sourcefield", "target" => "targetfield", "map_path" => "/etc/ics_macs.yaml" }
end
in_event { { "sourcefield" => "00:50:C2:7A:50:01" } }
expect("result to be equal") do |events|
events.first.get("targetfield") == "Quantum Medical Imaging"
end
end
test "not in map" do
parameters do
{ "source" => "sourcefield", "target" => "targetfield", "map_path" => "/etc/ics_macs.yaml" }
end
in_event { { "sourcefield" => "DE:AD:ED:BE:EE:EF" } }
expect("targetfield not set") do |events|
events.first.get("targetfield").nil?
end
end
test "bad input string" do
parameters do
{ "source" => "sourcefield", "target" => "targetfield", "map_path" => "/etc/ics_macs.yaml" }
end
in_event { { "sourcefield" => "not a mac address" } }
expect("targetfield not set") do |events|
events.first.get("targetfield").nil?
end
end
test "missing field" do
parameters do
{ "source" => "sourcefield", "target" => "targetfield", "map_path" => "/etc/ics_macs.yaml" }
end
in_event { { } }
expect("targetfield not set") do |events|
events.first.get("targetfield").nil?
end
end
###############################################################################