diff --git a/logstash/3000_openvas.conf b/logstash/3000_openvas.conf new file mode 100644 index 0000000..f560731 --- /dev/null +++ b/logstash/3000_openvas.conf @@ -0,0 +1,146 @@ +# Author: Austin Taylor and Justin Henderson +# Email: austin@hasecuritysolutions.com +# Last Update: 03/04/2018 +# Version 0.3 +# Description: Take in qualys web scan reports from vulnWhisperer and pumps into logstash + +input { + file { + path => "/opt/vulnwhisperer/openvas/*.json" + type => json + codec => json + start_position => "beginning" + tags => [ "openvas_scan", "openvas" ] + } +} + +filter { + if "openvas_scan" in [tags] { + mutate { + replace => [ "message", "%{message}" ] + gsub => [ + "message", "\|\|\|", " ", + "message", "\t\t", " ", + "message", " ", " ", + "message", " ", " ", + "message", " ", " ", + "message", "nan", " ", + "message",'\n','' + ] + } + + + grok { + match => { "path" => "openvas_scan_%{DATA:scan_id}_%{INT:last_updated}.json$" } + tag_on_failure => [] + } + + mutate { + add_field => { "risk_score" => "%{cvss}" } + } + + if [risk] == "1" { + mutate { add_field => { "risk_number" => 0 }} + mutate { replace => { "risk" => "info" }} + } + if [risk] == "2" { + mutate { add_field => { "risk_number" => 1 }} + mutate { replace => { "risk" => "low" }} + } + if [risk] == "3" { + mutate { add_field => { "risk_number" => 2 }} + mutate { replace => { "risk" => "medium" }} + } + if [risk] == "4" { + mutate { add_field => { "risk_number" => 3 }} + mutate { replace => { "risk" => "high" }} + } + if [risk] == "5" { + mutate { add_field => { "risk_number" => 4 }} + mutate { replace => { "risk" => "critical" }} + } + + mutate { + remove_field => "message" + } + + if [first_time_detected] { + date { + match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "first_time_detected" + } + } + if [first_time_tested] { + date { + match => [ "first_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "first_time_tested" + } + } + if [last_time_detected] { + date { + match => [ "last_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "last_time_detected" + } + } + if [last_time_tested] { + date { + match => [ "last_time_tested", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] + target => "last_time_tested" + } + } + date { + match => [ "last_updated", "UNIX" ] + target => "@timestamp" + remove_field => "last_updated" + } + mutate { + convert => { "plugin_id" => "integer"} + convert => { "id" => "integer"} + convert => { "risk_number" => "integer"} + convert => { "risk_score" => "float"} + convert => { "total_times_detected" => "integer"} + convert => { "cvss_temporal" => "float"} + convert => { "cvss" => "float"} + } + if [risk_score] == 0 { + mutate { + add_field => { "risk_score_name" => "info" } + } + } + if [risk_score] > 0 and [risk_score] < 3 { + mutate { + add_field => { "risk_score_name" => "low" } + } + } + if [risk_score] >= 3 and [risk_score] < 6 { + mutate { + add_field => { "risk_score_name" => "medium" } + } + } + if [risk_score] >=6 and [risk_score] < 9 { + mutate { + add_field => { "risk_score_name" => "high" } + } + } + if [risk_score] >= 9 { + mutate { + add_field => { "risk_score_name" => "critical" } + } + } + # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. + if [asset] =~ "^10\.0\.100\." { + mutate { + add_tag => [ "critical_asset" ] + } + } + } +} +output { + if "openvas" in [tags] { + stdout { codec => rubydebug } + elasticsearch { + hosts => [ "localhost:9200" ] + index => "logstash-vulnwhisperer-%{+YYYY.MM}" + } + } +} diff --git a/requirements.txt b/requirements.txt index 1b40850..839bfcb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -3,4 +3,5 @@ setuptools==0.9.8 pytz==2017.2 Requests==2.18.3 qualysapi==4.1.0 -lxml==4.1.1 \ No newline at end of file +lxml==4.1.1 +bs4 \ No newline at end of file