Merge branch 'master' of github.com:austin-taylor/VulnWhisperer

README.md

@@ -40,7 +40,8 @@ sudo pip install pandas
 Using requirements file:
 sudo pip install -r /path/to/VulnWhisperer/requirements.txt
 
-python /path/to/VulnWhisperer/setup.py install
+cd /path/to/VulnWhisperer
+sudo python setup.py install
 ```
 
 

bin/vuln_whisperer

@@ -6,20 +6,26 @@
 
 from vulnwhisp.vulnwhisp import vulnWhisperer
 from vulnwhisp.utils.cli import bcolors
-
+import os
 import argparse
 import sys
 
+def isFileValid(parser, arg):
+    if not os.path.exists(arg):
+        parser.error("The file %s does not exist!" % arg)
+    else:
+        return arg
+
 def main():
 
     parser = argparse.ArgumentParser(description=""" VulnWhisperer is designed to create actionable data from\
      your vulnerability scans through aggregation of historical scans.""")
     parser.add_argument('-c', '--config', dest='config', required=False, default='frameworks.ini',
-                        help='Path of config file')
+                        help='Path of config file', type=lambda x: isFileValid(parser, x.strip()))
     parser.add_argument('-v', '--verbose', dest='verbose', action='store_true', default=True,
                         help='Prints status out to screen (defaults to True)')
-    parser.add_argument('-u', '--username', dest='username', required=False, default=None, help='The NESSUS username')
-    parser.add_argument('-p', '--password', dest='password', required=False, default=None, help='The NESSUS password')
+    parser.add_argument('-u', '--username', dest='username', required=False, default=None, type=lambda x: x.strip(), help='The NESSUS username')
+    parser.add_argument('-p', '--password', dest='password', required=False, default=None, type=lambda x: x.strip(), help='The NESSUS password')
     args = parser.parse_args()
 
     try:

docker-compose.yml

@@ -0,0 +1,40 @@
+version: '2'
+services:
+  vulnwhisp_es1:
+    image: docker.elastic.co/elasticsearch/elasticsearch:5.6.2
+    container_name: vulnwhisp_es1
+    environment:
+      - cluster.name=vulnwhisperer
+      - bootstrap.memory_lock=true
+      - "ES_JAVA_OPTS=-Xms512m -Xmx512m"
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    mem_limit: 1g
+    volumes:
+      - esdata1:/usr/share/elasticsearch/data
+    ports:
+      - 19200:9200
+    networks:
+      - esnet
+  vulnwhisp_ks1:
+    image: docker.elastic.co/kibana/kibana:5.6.2
+    environment:
+      SERVER_NAME: vulnwhisp_ks1
+      ELASTICSEARCH_URL: http://vulnwhisp_es1:9200
+    ports:
+      - 15601:5601
+    networks:
+      - esnet
+  vulnwhisp_ls1:
+    image: docker.elastic.co/logstash/logstash:5.6.2
+    networks:
+      - esnet
+
+volumes:
+  esdata1:
+    driver: local
+
+networks:
+  esnet:

logstash/1000_nessus_process_file.conf

@@ -1,12 +1,12 @@
 # Author: Austin Taylor and Justin Henderson
 # Email: email@austintaylor.io
-# Last Update: 08/04/2017
-# Version 0.2
+# Last Update: 12/20/2017
+# Version 0.3
 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash
 
 input {
   file {
-    path => "/opt/vulnwhisp/scans/My Scans/*"
+    path => "/opt/vulnwhisp/scans/**/*"
     start_position => "beginning"
     tags => "nessus"
     type => "nessus"
@@ -85,43 +85,46 @@ filter {
     # Compensating controls - adjust risk_score
     # Adobe and Java are not allowed to run in browser unless whitelisted
     # Therefore, lower score by dividing by 3 (score is subjective to risk)
-    if [risk_score] != 0 {
-      if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
-        ruby {
-          code => "event.set('risk_score', event.get('risk_score') / 3)"
-        }
-        mutate {
-          add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
-        }
-      }
-    }
+    
+    #Modify and uncomment when ready to use
+    #if [risk_score] != 0 {
+    #  if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
+    #    ruby {
+    #      code => "event.set('risk_score', event.get('risk_score') / 3)"
+    #    }
+    #    mutate {
+    #      add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
+    #    }
+    #  }
+    #}
 
     # Add tags for reporting based on assets or criticality
-    if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
-      mutate {
-        add_tag => [ "critical_asset" ]
-      }
-    }
-    if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
-      mutate {
-        add_tag => [ "has_hipaa_data" ]
-      }
-    }
-    if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
-      mutate {
-        add_tag => [ "hipaa_asset" ]
-      }
-    }
-    if [host] =~ "^192\.168\.5\." {
-      mutate {
-        add_tag => [ "pci_asset" ]
-      }
-    }
-    if [host] =~ "^10\.0\.50\." {
-      mutate {
-        add_tag => [ "web_servers" ]
-      }
-    }
+
+    #if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
+    #  mutate {
+    #    add_tag => [ "critical_asset" ]
+    #  }
+    #}
+    #if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
+    #  mutate {
+    #    add_tag => [ "has_hipaa_data" ]
+    #  }
+    #}
+    #if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
+    #  mutate {
+    #    add_tag => [ "hipaa_asset" ]
+    #  }
+    #}
+    #if [host] =~ "^192\.168\.5\." {
+    #  mutate {
+    #    add_tag => [ "pci_asset" ]
+    #  }
+    #}
+    #if [host] =~ "^10\.0\.50\." {
+    #  mutate {
+    #    add_tag => [ "web_servers" ]
+    #  }
+    #}
   }
 }
 

logstash/9000_output_nessus.conf

@@ -7,7 +7,7 @@ output {
    if "nessus" in [tags]  or [type] == "nessus" {
     #stdout { codec => rubydebug }
     elasticsearch {
-      hosts => [ "localhost" ]
+      hosts => "localhost:19200"
       index => "logstash-nessus-%{+YYYY.MM}"
     }
   }