Merge pull request #218 from obsidianforensics/mac-addr-random

Add descriptor for potentially randomized MAC addresses

unfurl/core.py

@@ -39,6 +39,7 @@ def __init__(self, remote_lookups=None):
         self.api_keys = {}
         self.remote_lookups = remote_lookups
         self.known_domain_lists = None
+        self.node_limit = 500
 
         config = configparser.ConfigParser()
         config.read('unfurl.ini')
@@ -335,7 +336,7 @@ def parse(self, queued_item):
         self.run_plugins(self.nodes[node_id])
 
     def parse_queue(self):
-        while not self.queue.empty() and self.total_nodes < 200:
+        while not self.queue.empty() and self.total_nodes < self.node_limit:
             self.parse(self.queue.get())
 
     def reset_graph_state(self):

unfurl/parsers/parse_mac_addr.py

@@ -29,17 +29,26 @@
 
 def run(unfurl, node):
     if node.data_type == 'mac-address':
+        vendor_lookup = None
         try:
-            vendor_lookup = netaddr.EUI(node.value).oui.registration().org
+            mac_addr = netaddr.EUI(node.value)
+            vendor_lookup = mac_addr.oui.registration().org
+        except netaddr.NotRegisteredError:
+            pass
         except Exception as e:
             log.exception(f'Exception while parsing MAC address: {e}')
-            return
 
         if vendor_lookup:
             unfurl.add_to_queue(
                 data_type="mac-address.vendor", key=None, value=vendor_lookup, label=f'Vendor: {vendor_lookup}',
                 parent_id=node.node_id, incoming_edge_config=uuid_edge)
 
+        if node.value[1] in ['2', '6', 'A', 'E', 'a', 'e']:
+            unfurl.add_to_queue(
+                data_type="descriptor", key=None,
+                value='MAC address is randomized (locally-administered & unicast bits set)',
+                parent_id=node.node_id, incoming_edge_config=uuid_edge)
+
     else:
         long_int = utils.long_int_re.fullmatch(str(node.value))
         m = utils.mac_addr_re.fullmatch(str(node.value))