diff --git a/logstash/1000_nessus_process_file.conf b/logstash/1000_nessus_process_file.conf new file mode 100644 index 0000000..3ad627a --- /dev/null +++ b/logstash/1000_nessus_process_file.conf @@ -0,0 +1,136 @@ +# Author: Austin Taylor and Justin Henderson +# Email: email@austintaylor.io +# Last Update: 08/04/2017 +# Version 0.2 +# Description: Take in nessus reports from vulnWhisperer and pumps into logstash + +input { + file { + path => "/opt/vulnwhisp/scans/My Scans/*" + start_position => "beginning" + tags => "nessus" + type => "nessus" + } +} + +filter { + if "nessus" in [tags]{ + mutate { + gsub => [ + "message", "\|\|\|", " ", + "message", "\t\t", " ", + "message", " ", " ", + "message", " ", " ", + "message", " ", " " + ] + } + + csv { + columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] + separator => "," + source => "message" + } + + grok { + match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } + tag_on_failure => [] + } + + date { + match => [ "last_updated", "UNIX" ] + target => "@timestamp" + remove_field => ["last_updated"] + } + + if [risk] == "None" { + mutate { add_field => { "risk_number" => 0 }} + } + if [risk] == "Low" { + mutate { add_field => { "risk_number" => 1 }} + } + if [risk] == "Medium" { + mutate { add_field => { "risk_number" => 2 }} + } + if [risk] == "High" { + mutate { add_field => { "risk_number" => 3 }} + } + if [risk] == "Critical" { + mutate { add_field => { "risk_number" => 4 }} + } + + if [cve] == "nan" { + mutate { remove_field => [ "cve" ] } + } + if [see_also] == "nan" { + mutate { remove_field => [ "see_also" ] } + } + if [description] == "nan" { + mutate { remove_field => [ "description" ] } + } + if [plugin_output] == "nan" { + mutate { remove_field => [ "plugin_output" ] } + } + if [synopsis] == "nan" { + mutate { remove_field => [ "synopsis" ] } + } + + mutate { + remove_field => [ "message" ] + add_field => { "risk_score" => "%{cvss}" } + } + mutate { + convert => { "risk_score" => "float" } + } + + # Compensating controls - adjust risk_score + # Adobe and Java are not allowed to run in browser unless whitelisted + # Therefore, lower score by dividing by 3 (score is subjective to risk) + if [risk_score] != 0 { + if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { + ruby { + code => "event.set('risk_score', event.get('risk_score') / 3)" + } + mutate { + add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } + } + } + } + + # Add tags for reporting based on assets or criticality + if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." { + mutate { + add_tag => [ "critical_asset" ] + } + } + if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ + mutate { + add_tag => [ "has_hipaa_data" ] + } + } + if [host] =~ "^192\.168\.[45][0-9][0-9]\." { + mutate { + add_tag => [ "hipaa_asset" ] + } + } + if [host] =~ "^192\.168\.5\." { + mutate { + add_tag => [ "pci_asset" ] + } + } + if [host] =~ "^10\.0\.50\." { + mutate { + add_tag => [ "web_servers" ] + } + } + } +} + +output { + if "nessus" in [tags] or [type] == "nessus" { + #stdout { codec => rubydebug } + elasticsearch { + hosts => [ "localhost:9200" ] + index => "logstash-nessus-%{+YYYY.MM}" + } + } +}