As most of you are aware, I have written a few posts about Arpwatch and the great value it provides in a network for visibility. It can help to uncover not only network issues that may exist, but also potential security events unfolding or machines being on a segment of the network they should not be on. It is a great tool overall that I highly recommend running in a lightweight Linux VM on the network. I have written a few posts on how to get up and running fairly quickly with the solution, including email alerts. One of the housekeeping tasks that need to be done with Arpwatch however is maintaining updates on the OUI tables. Let’s take a look at how to Use Ansible to Update OUI tables in Arpwatch. If you have several Arpwatch probes out on your network, using Ansible is a great way to automate this process of updating the OUI tables.
What is an OUI?
You might wonder, what is an OUI anyway? The OUI is known as the Organizationally Unique Identifier that is the 24-bit number that uniquely identifies a vendor or manufacturer of a certain piece of hardware. In fact, if you have seen a MAC address before, you have seen the OUI! The OUI is the first three octets of a MAC address.
For instance, the MAC address that starts with 74:e6:e2 is a Dell MAC address. There are many great OUI lookup websites out there, but one of the first that pops up in a Google search is the one from Wireshark. You can lookup a vendor using their quick OUI lookup utility.
Keeping the OUI tables up to date means you are able to more effectively identify devices that arpwatch sees on the network. If you don’t have a matching OUI identifier for the MAC address, the host simply comes through as “Unknown”. Automating this process allows much more effectively keeping up with the most recent OUIs as they are released.
Why Use Ansible to keep this updated?
Ansible is a great way to automate many operations across the environment, and it is especially at home managing Linux platforms, even though the Windows support is now really great also. Using Ansible, we can connect to any number of Linux hosts, update the ethercodes.dat file that is used by Arpwatch and do this programmatically.
First I want to give a shout out to writer of the script I had found some time ago for updating the ethercodes.dat file here:
Using this shell script, you can easily pull down the latest OUI file and format it in the way arpwatch can use.
##!/bin/bash # update_mac_addresses.sh # This script downloads the correct mac address data from the IEEE and parses it for nmap and arpwatch. # nmap-mac-prefixes is for nmap. # ethercodes.dat is arpwatch. # Download the current data wget http://standards-oui.ieee.org/oui.txt --no-check-certificate # Divide the data into Manufacturer and Address files cat oui.txt | grep '(base 16)' | cut -f3 > mac.manufacturer cat oui.txt | grep '(base 16)' | cut -f1 -d' ' > mac.address # Paste them back together for nmap data paste mac.address mac.manufacturer > nmap-mac-prefixes # Parse the address data for arpwatch cat mac.address | perl -pe 's/^(([^0].)|0(.))(([^0].)|0(.))(([^0].)|0(.))/\2\3:\5\6:\8\9/' > tmp.address cat tmp.address | tr [A-Z] [a-z] > mac.address # Paste the parsed data into the arpwatch file paste mac.address mac.manufacturer > ethercodes.dat # Clean up intermediary files rm tmp.address rm mac.address rm mac.manufacturer rm oui.txt # Move the files for my Ubuntu installation mv /usr/share/arpwatch/ethercodes.dat /usr/share/arpwatch/ethercodes.dat.old mv ethercodes.dat /usr/share/arpwatch/ethercodes.dat
The following is the Ansible code that I am using to update the ethercodes.dat file on the remote Linux boxes. What does this simple Yaml file do?
--- - name: Ansible delete file glob shell: /bin/rm -rf /tmp/update_mac_addresses.sh - name: Transfer the script copy: src=/root/test/resources/newoui/update_mac_addresses.sh dest=/tmp/update_mac_addresses.sh mode=0777 - name: Execute the script command: sh /tmp/update_mac_addresses.sh
- It deletes the file from the /tmp directory if it is there already
- It copies the script above over to the Linux box and sets permissions
- It is using a local Linux folder to store the file to copy from
- Then it executes the script
To use the YAML code above, simply add your servers to your inventory.yml file, test your connection using the Ansible ping command and then run your playbook! Simple
Automation is powerful! As you can see, if you had several Linux servers that you wanted to pull down a new OUI list and turn into a new ethercodes.dat installation on multiple Arpwatch “probes”, when you Use Ansible to Update OUI tables in Arpwatch, you can hit a button and walk away. This is a very simplistic use case, however, it demonstrates the power of automation and refusing to do things the “old” way.