Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update nessus logstash configs

Browse Source
This commit is contained in:
pemontto
2019-04-11 20:27:54 +10:00
parent 5671b70bdd
commit 0710b38de3
3 changed files with 131 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf
View File

@ -7,27 +7,43 @@
input { input {
file { file {
path => "/opt/VulnWhisperer/data/nessus/**/*" path => "/opt/VulnWhisperer/data/nessus/**/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "nessus" tags => "nessus"
type => "nessus" type => "nessus"
} }
file {
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
file { file {
path => "/opt/VulnWhisperer/data/tenable/*.csv" path => "/opt/VulnWhisperer/data/tenable/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "tenable" tags => "tenable"
type => "tenable" type => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
if [path] =~ /\.csv$/ {}
# Drop the header column # Drop the header column
if [message] =~ "^Plugin ID" { drop {} } if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
csv { csv {
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss_vector", "system_type", "host_start", "host_end"] columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"]
separator => "," separator => ","
source => "message" source => "message"
} }
@ -49,10 +65,11 @@ filter {
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end" end"
} }
}
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }

25
resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf
View File

@ -7,23 +7,39 @@
input { input {
file { file {
path => "/opt/vulnwhisperer/nessus/**/*" path => "/opt/VulnWhisperer/data/nessus/**/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "nessus" tags => "nessus"
type => "nessus" type => "nessus"
} }
file { file {
path => "/opt/vulnwhisperer/tenable/*.csv" path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
file {
path => "/opt/VulnWhisperer/data/tenable/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "tenable" tags => "tenable"
type => "tenable" type => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
if [path] =~ /\.csv$/ {}
# Drop the header column # Drop the header column
if [message] =~ "^Plugin ID" { drop {} } if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
csv { csv {
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
@ -49,10 +65,11 @@ filter {
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end" end"
} }
}
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }

23
resources/elk6/pipeline/1000_nessus_process_file.conf
View File

@ -7,12 +7,19 @@
input { input {
file { file {
path => "/opt/vulnwhisperer/data/nessus/**/*" path => "/opt/vulnwhisperer/data/nessus/**/*.csv"
mode => "read" mode => "read"
start_position => "beginning" start_position => "beginning"
file_completed_action => "delete" file_completed_action => "delete"
tags => "nessus" tags => "nessus"
} }
file {
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
file_completed_action => "delete"
tags => "nessus"
codec => json
}
file { file {
path => "/opt/vulnwhisperer/data/tenable/*.csv" path => "/opt/vulnwhisperer/data/tenable/*.csv"
mode => "read" mode => "read"
@ -20,12 +27,21 @@ input {
file_completed_action => "delete" file_completed_action => "delete"
tags => "tenable" tags => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
file_completed_action => "delete"
tags => "tenable"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
if [path] =~ /\.csv$/ {}
# Drop the header column # Drop the header column
if [message] =~ "^Plugin ID" { drop {} } if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
csv { csv {
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
@ -51,10 +67,11 @@ filter {
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end" end"
} }
}
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }