Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update nessus logstash configs

Browse Source
This commit is contained in:
pemontto
2019-04-11 20:27:54 +10:00
parent 5671b70bdd
commit 0710b38de3
3 changed files with 131 additions and 80 deletions
Download Patch File Download Diff File Expand all files Collapse all files

71
resources/elk5-old_compatibility/docker/1000_nessus_process_file.conf
View File

@ -7,52 +7,69 @@
input { input {
file { file {
path => "/opt/VulnWhisperer/data/nessus/**/*" path => "/opt/VulnWhisperer/data/nessus/**/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "nessus" tags => "nessus"
type => "nessus" type => "nessus"
} }
file {
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
file { file {
path => "/opt/VulnWhisperer/data/tenable/*.csv" path => "/opt/VulnWhisperer/data/tenable/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "tenable" tags => "tenable"
type => "tenable" type => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
# Drop the header column
if [message] =~ "^Plugin ID" { drop {} }
csv { if [path] =~ /\.csv$/ {}
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # Drop the header column
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss_vector", "system_type", "host_start", "host_end"] if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
separator => ","
source => "message"
}
ruby { csv {
code => "if event.get('description') # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"]
end separator => ","
if event.get('synopsis') source => "message"
event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) }
end
if event.get('solution') ruby {
event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) code => "if event.get('description')
end event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('see_also') end
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('synopsis')
end event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('plugin_output') end
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('solution')
end" event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
} end
if event.get('see_also')
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end
if event.get('plugin_output')
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end"
}
}
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }

71
resources/elk5-old_compatibility/logstash/1000_nessus_process_file.conf
View File

@ -7,52 +7,69 @@
input { input {
file { file {
path => "/opt/vulnwhisperer/nessus/**/*" path => "/opt/VulnWhisperer/data/nessus/**/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "nessus" tags => "nessus"
type => "nessus" type => "nessus"
} }
file { file {
path => "/opt/vulnwhisperer/tenable/*.csv" path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
file {
path => "/opt/VulnWhisperer/data/tenable/*.csv"
start_position => "beginning" start_position => "beginning"
tags => "tenable" tags => "tenable"
type => "tenable" type => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
tags => "nessus"
type => "nessus"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
# Drop the header column
if [message] =~ "^Plugin ID" { drop {} }
csv { if [path] =~ /\.csv$/ {}
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # Drop the header column
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
separator => ","
source => "message"
}
ruby { csv {
code => "if event.get('description') # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"]
end separator => ","
if event.get('synopsis') source => "message"
event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) }
end
if event.get('solution') ruby {
event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) code => "if event.get('description')
end event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('see_also') end
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('synopsis')
end event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('plugin_output') end
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('solution')
end" event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end
if event.get('see_also')
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end
if event.get('plugin_output')
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end"
}
} }
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }

69
resources/elk6/pipeline/1000_nessus_process_file.conf
View File

@ -7,12 +7,19 @@
input { input {
file { file {
path => "/opt/vulnwhisperer/data/nessus/**/*" path => "/opt/vulnwhisperer/data/nessus/**/*.csv"
mode => "read" mode => "read"
start_position => "beginning" start_position => "beginning"
file_completed_action => "delete" file_completed_action => "delete"
tags => "nessus" tags => "nessus"
} }
file {
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
start_position => "beginning"
file_completed_action => "delete"
tags => "nessus"
codec => json
}
file { file {
path => "/opt/vulnwhisperer/data/tenable/*.csv" path => "/opt/vulnwhisperer/data/tenable/*.csv"
mode => "read" mode => "read"
@ -20,41 +27,51 @@ input {
file_completed_action => "delete" file_completed_action => "delete"
tags => "tenable" tags => "tenable"
} }
file {
path => "/opt/VulnWhisperer/data/tenable/*.json"
start_position => "beginning"
file_completed_action => "delete"
tags => "tenable"
codec => json
}
} }
filter { filter {
if "nessus" in [tags] or "tenable" in [tags] { if "nessus" in [tags] or "tenable" in [tags] {
# Drop the header column
if [message] =~ "^Plugin ID" { drop {} }
csv { if [path] =~ /\.csv$/ {}
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] # Drop the header column
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] if [message] =~ "^(Plugin ID|plugin_id,)" { drop {} }
separator => ","
source => "message"
}
ruby { csv {
code => "if event.get('description') # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"]
end separator => ","
if event.get('synopsis') source => "message"
event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) }
end
if event.get('solution') ruby {
event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) code => "if event.get('description')
end event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('see_also') end
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('synopsis')
end event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
if event.get('plugin_output') end
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) if event.get('solution')
end" event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end
if event.get('see_also')
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end
if event.get('plugin_output')
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
end"
}
} }
#If using filebeats as your source, you will need to replace the "path" field to "source" #If using filebeats as your source, you will need to replace the "path" field to "source"
grok { grok {
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
tag_on_failure => [] tag_on_failure => []
} }