Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update to make nessus visualizations consistent with qualys

Browse Source
This commit is contained in:
Austin Taylor
2018-01-29 22:35:45 -05:00
parent cdaf743435
commit 13a01fbfd0
4 changed files with 72 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

67
logstash/1000_nessus_process_file.conf
View File

@ -6,7 +6,7 @@
input {
file {
path => "/opt/vulnwhisp/nessus/**/*"
path => "/opt/vulnwhisperer/nessus/**/*"
start_position => "beginning"
tags => "nessus"
type => "nessus"
@ -15,6 +15,9 @@ input {
filter {
if "nessus" in [tags]{
# Drop the header column
if [message] =~ "^Plugin ID" { drop {} }
mutate {
gsub => [
"message", "\|\|\|", " ",
@ -26,7 +29,7 @@ filter {
}
csv {
columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
separator => ","
source => "message"
}
@ -57,10 +60,13 @@ filter {
if [risk] == "Critical" {
mutate { add_field => { "risk_number" => 4 }}
}
if [cve] == "nan" {
mutate { remove_field => [ "cve" ] }
}
if [cvss] == "nan" {
mutate { remove_field => [ "cvss" ] }
}
if [see_also] == "nan" {
mutate { remove_field => [ "see_also" ] }
}
@ -81,11 +87,36 @@ filter {
mutate {
convert => { "risk_score" => "float" }
}
if [risk_score] == 0 {
mutate {
add_field => { "risk_score_name" => "info" }
}
}
if [risk_score] > 0 and [risk_score] < 3 {
mutate {
add_field => { "risk_score_name" => "low" }
}
}
if [risk_score] >= 3 and [risk_score] < 6 {
mutate {
add_field => { "risk_score_name" => "medium" }
}
}
if [risk_score] >=6 and [risk_score] < 9 {
mutate {
add_field => { "risk_score_name" => "high" }
}
}
if [risk_score] >= 9 {
mutate {
add_field => { "risk_score_name" => "critical" }
}
}
# Compensating controls - adjust risk_score
# Adobe and Java are not allowed to run in browser unless whitelisted
# Therefore, lower score by dividing by 3 (score is subjective to risk)
#Modify and uncomment when ready to use
#if [risk_score] != 0 {
# if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
@ -100,27 +131,27 @@ filter {
# Add tags for reporting based on assets or criticality
#if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
# mutate {
# add_tag => [ "critical_asset" ]
# }
#}
#if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." {
mutate {
add_tag => [ "critical_asset" ]
}
}
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
# mutate {
# add_tag => [ "has_hipaa_data" ]
# }
#}
#if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\." {
# mutate {
# add_tag => [ "hipaa_asset" ]
# }
#}
#if [host] =~ "^192\.168\.5\." {
# mutate {
# add_tag => [ "pci_asset" ]
# }
#}
#if [host] =~ "^10\.0\.50\." {
if [asset] =~ "^hr" {
mutate {
add_tag => [ "pci_asset" ]
}
}
#if [asset] =~ "^10\.0\.50\." {
# mutate {
# add_tag => [ "web_servers" ]
# }
@ -133,7 +164,7 @@ output {
#stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost:9200" ]
index => "logstash-nessus-%{+YYYY.MM}"
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
}
}
}