Origin MAC Address
The MAC Address from which activity originated.
Data Type
String
Aliases
| Use | Alias |
|---|---|
Client Console Full Name | MAC Address (Origin) |
Client Console Short Name | Not applicable |
Web Console Tab/Name | MAC Address (Origin) |
Elasticsearch Field Name | originMac |
Rule Builder Column Name | SMAC |
Regex Pattern | <smac> |
NetMon Name | SrcMAC |
Field Relationships
- SIP
- SIPv4
- SIPv6
- SIPv6E
- Origin Hostname
- Origin Hostname or IP
- Origin NAT IP
- DIP
- DIPv4
- DIPv6
- DIPv6E
- Impacted Hostname
- Impacted Hostname or IP
- Impacted NAT IP
- Origin Port
- Origin NAT Port
- Impacted Port
- Impacted NAT Port
- Impacted MAC Address
- Origin Interface
- Impacted Interface
- Origin Domain
- Impacted Domain
- Origin Login
- Impacted Account
- IANA Protocol Number
- IANA Protocol Name
Common Applications
- Firewall
- IDS/IPS
- Vulnerability scanners
Use Case
- Differentiating hosts and interfaces.
- Detecting MAC ID cloning.
MPE/Data Masking Manipulations
Not applicable.
Usage Standards
- Can be in any format of MAC address:
- MM:MM:MM:SS:SS:SS
- MM-MM-MM-SS-SS-SS
- MMM.MMM.SSS.SSS
- MM MM MM SS SS SS
- Origin is Client (In Client-Server Model)
- Origin is Attacker (In Attacker-Target Model)
Examples
- FireEye Web MPS
02 01 2016 17:13:19 1.1.1.1 <LOC4:WARN> fenotify-609081.warning: CEF:0|FireEye|MPS|1.1.1.1875|IM|infection-match|1|rt=Feb 01 2016 23:13:10 UTC src=1.1.1.1 cn3Label=cncPort cn3=80 cn2Label=sid cn2=84575103 shost= https://www.recordflow.biz proto=tcp spt=51997 dst=1.1.1.1 cs5Label=cncHost cs5=1.1.1.1 dvchost= USABLDRRECFLOW01dvc=1.1.1.1 smac=00:00:00:00:00:00 cn1Label=vlan cn1=0 dpt=80 externalId=609081 cs4Label=link cs4=THING dmac=00:00:00:00:00:00 cs1Label=sname cs1=Exploit.Kit.AnglerDIPv4
Dmac= in this log is the attacker MAC Address (origin).
- Brocade Switch
03 01 2017 02:08:41 1.1.1.1 <LOC6:NOTE> Mar 1 02:08:38 USABLDRRECFLOW01dataplane[2287]: fw rule INTERNAL-IN:10000 block udp(17) src= USABLDRRECFLOW01/0:00:00:00:00:00/IPV6Address dst=/00:00:00:00/0000::0:0(547) len=159 hoplimit=1 len=119
Src= with hostname followed by origin MAC Address. Network traffic shown src->dst will be origin->impacted.
- Windows Event Log – DHCP Ops
<Event xmlns='http://Host2/win/2004/08/events/event'><System><Provider Name='Microsoft-Windows-DHCP-Server' Guid='{6d64f02c-a125-4dac-9a01-f0555b41ca84}'/><EventID>20097</EventID><Version>0</Version><Level>Information</Level><Task>None</Task><Opcode>Info</Opcode><Keywords></Keywords><TimeCreated SystemTime='2014-10-07T00:13:02.116745100Z'/><EventRecordID>445336</EventRecordID><Correlation/><Execution ProcessID='1320' ThreadID='2952'/><Channel>Microsoft-Windows-Dhcp-Server/FilterNotifications</Channel><Computer> USABLDRRECFLOW01</Computer><Security UserID='NT AUTHORITY\NETWORK SERVICE'/></System><EventData>DHCP Services were denied to machine with hardware address 00-00-00-00-00-00, hardware type 1 and FQDN/Hostname USABLDRRECFLOW01because it did not match any entry in the Allow List.</EventData></Event>
Origin MAC Address with dashes instead of colons.