Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Kibana Dashboards, filebeat and logstash configs

Browse Source
This commit is contained in:
Austin Taylor
2017-07-10 00:15:28 -04:00
parent ccf774099f
commit 034b204255
7 changed files with 858 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
logstash/1000_nessus_preprocess_nessus.conf Executable file
View File

@ -0,0 +1,114 @@
# Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io
# Last Update: 05/22/2017
# Version 0.2
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
filter {
if "nessus" in [tags]{
mutate {
gsub => [
"message", "\|\|\|", " ",
"message", "\t\t", " ",
"message", " ", " ",
"message", " ", " ",
"message", " ", " "
]
}
csv {
columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
separator => ","
source => "message"
}
grok {
match => { "source" => "(?<file_path>[\\\:a-z A-Z_]*\\)(?<scan_name>[a-z-0-9\.A-Z_\-]*)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}" }
tag_on_failure => []
}
date {
match => [ "last_updated" , "UNIX" ]
target => "@timestamp"
remove_field => ["last_updated"]
}
if [risk] == "None" {
mutate { add_field => { "risk_number" => 0 }}
}
if [risk] == "Low" {
mutate { add_field => { "risk_number" => 1 }}
}
if [risk] == "Medium" {
mutate { add_field => { "risk_number" => 2 }}
}
if [risk] == "High" {
mutate { add_field => { "risk_number" => 3 }}
}
if [risk] == "Critical" {
mutate { add_field => { "risk_number" => 4 }}
}
if [cve] == "nan" {
mutate { remove_field => [ "cve" ] }
}
if [see_also] == "nan" {
mutate { remove_field => [ "see_also" ] }
}
if [description] == "nan" {
mutate { remove_field => [ "description" ] }
}
if [plugin_output] == "nan" {
mutate { remove_field => [ "plugin_output" ] }
}
if [synopsis] == "nan" {
mutate { remove_field => [ "synopsis" ] }
}
mutate {
remove_field => [ "message" ]
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "risk_score" => "float" }
}
# Compensating controls - adjust risk_score
# Adobe and Java are not allowed to run in browser unless whitelisted
# Therefore, lower score by dividing by 3 (score is subjective to risk)
if [risk_score] != 0 {
if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
ruby {
code => "event.set('risk_score', event.get('risk_score') / 3)"
}
mutate {
add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
}
}
}
# Add tags for reporting based on assets or criticality
# May be a good idea to mirror some of the tags in 8200_postprocess_tagging.conf
if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^192\.168\.5\." {
mutate {
add_tag => [ "critical_asset" ]
}
}
if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
mutate {
add_tag => [ "has_hipaa_data" ]
}
}
if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
mutate {
add_tag => [ "hipaa_asset" ]
}
}
if [host] =~ "^192\.168\.5\." {
mutate {
add_tag => [ "pci_asset" ]
}
if [host] =~ "^10\.0\.50\." {
mutate {
add_tag => [ "web_servers" ]
}
}
}
}

14
logstash/9000_output_nessus.conf Executable file
View File

@ -0,0 +1,14 @@
# Author: Austin Taylor
# Email: email@austintaylor.io
# Last Update: 05/21/2017
# Creates logstash-nessus
output {
if "nessus" in [tags] or [type] == "nessus" {
#stdout { codec => rubydebug }
elasticsearch {
hosts => [ "elasticsearch01.yourdomain.local","elasticseach02.yourdomain.local","elasticsearch03.yourdomain.local" ]
index => "logstash-nessus-%{+YYYY.MM}"
}
}
}