Good morning, I am developing an inventory in zeek with my own script.
My idea is to use the mac as the key of the table, so that the checks for example before adding a service or other data is from the key that is the mac.
The point is that I have found the case that different MAC are in several IP addresses.
For this problem I have reconsidered the option of having two keys in the table, being the MAC address and the IP address. This is not very efficient because if there is a DHCP server there will be a lot of records in the inventory.
So I don’t see a very good option to use one of the two options as keys:
MAC
MAC,IP
In zeek the script of known services and known equipment the key is the IP, I understand that these assessments that I have taken into account you have already had.
Could you guide me with this issue?
I understand that there is no perfect option, but there will be one more successful than another, being one of the following:
In most deployments the MAC address of the end systems is not available. What’s present in the packet feed is instead the MAC of one of the routers on the tapped link. So all you have to work with is the IP address of the end system.
In this case it would be for an internal network to create an inventory. In this case if it would be a good option considering that we have to fill the inventory with the data of known services, known equipment and software?
MAC addresses for end systems are only available if monitoring the LAN to which the systems are directly attached. Are you monitoring a single LAN? If so then I don’t understand your comment “different MAC are in several IP addresses”. If not then MAC addresses aren’t going to work for what you want to do.
I thought that for example when you use a virtual machine there could be problems of duplicity of macs in the same lan network, but from your answer I understand that this case would not occur because they would have different MAC.
My point is different. MAC addresses identify hosts only on the network to which they’re directly attached, like an Ethernet LAN or a WiFi network. Usually with Zeek you’re monitoring multiple individual networks at a chokepoint, so there are IP-level hops between the monitoring location and the individual networks. Those IP-level hops use different MAC addresses than those for the individual hosts, so you won’t have a chance to observe the “correct” MAC address.