Merge pull request #206 from obsidianforensics/issue-195

obsidianforensics · web-flow · commit e1dbdf710750 · 2024-11-21T09:42:16.000-08:00
Switch package for MAC address lookups to an offline one.
diff --git a/pyproject.toml b/pyproject.toml
@@ -22,7 +22,6 @@ keywords=["unfurl", "forensics", "dfir", "reverse-engineering", "security", "osi
 dependencies = { file = ["requirements.txt"] }
 version = { attr = "unfurl.__version__" }
 optional-dependencies.ui = { file = ["requirements-ui.txt"] }
-optional-dependencies.lookups = { file = ["requirements-lookups.txt"] }
 optional-dependencies.all = { file = ["requirements-all.txt"] }
 
 [project.scripts]
diff --git a/requirements-all.txt b/requirements-all.txt
@@ -1 +1 @@
-dfir-unfurl[ui,lookups]
+dfir-unfurl[ui]
diff --git a/requirements-lookups.txt b/requirements-lookups.txt
diff --git a/requirements.txt b/requirements.txt
@@ -1,10 +1,11 @@
+bbpb
 dnslib
+mac-vendor-lookup>=0.1.12
 networkx
 protobuf==4.*
 publicsuffix2
 pycountry
 pymispwarninglists>=1.5
 requests
 torf
-ulid-py
-bbpb
+ulid-py
diff --git a/unfurl/parsers/parse_mac_addr.py b/unfurl/parsers/parse_mac_addr.py
@@ -1,4 +1,4 @@
-# Copyright 2019 Google LLC
+# Copyright 2024 Ryan Benson
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -12,8 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-import maclookup
-import re
+import mac_vendor_lookup
 from unfurl import utils
 
 uuid_edge = {
@@ -26,28 +25,25 @@
 
 
 def run(unfurl, node):
-    if not node.data_type == 'mac-address':
+    if node.data_type == 'mac-address':
+        vendor_lookup = mac_vendor_lookup.MacLookup().lookup(node.value)
+        if vendor_lookup:
+            unfurl.add_to_queue(
+                data_type="mac-address.vendor", key=None, value=vendor_lookup, label=f'Vendor: {vendor_lookup}',
+                parent_id=node.node_id, incoming_edge_config=uuid_edge)
+
+    else:
         long_int = utils.long_int_re.fullmatch(str(node.value))
         m = utils.mac_addr_re.fullmatch(str(node.value))
         if m and not long_int:
             u = m.group('mac_addr')
 
             # Check if we need to add colons
             if len(u) == 12:
-                pretty_mac = ':'.join([u[i]+u[i+1] for i in range(0, 12, 2)])
-
+                pretty_mac = ':'.join([u[i] + u[i + 1] for i in range(0, 12, 2)])
             else:
                 pretty_mac = u.upper()
 
             unfurl.add_to_queue(
                 data_type='mac-address', key=None, value=pretty_mac, label=f'MAC address: {pretty_mac}',
                 parent_id=node.node_id, incoming_edge_config=uuid_edge)
-
-    elif node.data_type == 'mac-address' and unfurl.api_keys.get('macaddress_io') and unfurl.remote_lookups:
-        client = maclookup.ApiClient(unfurl.api_keys.get('macaddress_io'))
-        vendor_lookup = client.get_vendor(node.value).decode('utf-8')
-
-        if vendor_lookup:
-            unfurl.add_to_queue(
-                data_type="mac-address.vendor", key=None, value=vendor_lookup, label=f'Vendor: {vendor_lookup}',
-                parent_id=node.node_id, incoming_edge_config=uuid_edge)

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-dfir-unfurl[ui,lookups]`
	`1`	`+dfir-unfurl[ui]`