how to win the fight against old vendor-files

Everyone, who works with linux at admin-niveau, starting with a normal nmap-scan about intrusion detection with arpalert or arpwatch up to specific programs like unicornscan or btscan has the same problem:

the vendor files, which translate the MAC-address to a manufacturer, are really old, so the result is incomplete. In addition the vendor-files dont have the same form like the original oui-files and need to be transferred via scripts. Updating the vendor file for nmap is not the same like updating the file for unicornscan.

So I decided to write a script which does this automatically for different applications. The best way is to coy the script as root to /usr/bin and prove the rights, that it is executable. After that you only have to start refresh_oui without parameters, the rest of the work has been done from the script.

oui.txt and iab.txt are transferred from the sources and are converted to the different forms, after that some links to detected applications are set to replace the old vendor files.

The following applications are automatically supported:

  • arp-scan
  • arpalert
  • arpwatch
  • bluelog
  • btscanner
  • golismero
  • nmap
  • unicornscan

You should think about taking this script in an update-process with /etc/cron.d or crontab, so your vendor-files are always actualized.

If there are other vendor-file-formats or applications to support, please write an email so I can insert them into my script.


burning fog

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.