Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updates for normalised fields and json output

Browse Source
This commit is contained in:
pemontto
2019-04-17 16:31:37 +10:00
parent eea417a0d9
commit 9c7600b264
2 changed files with 22 additions and 52 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
resources/elk6/logstash-vulnwhisperer-template.json
View File

@ -1,5 +1,6 @@
{ {
"index_patterns": "logstash-vulnwhisperer-*", "index_patterns": "logstash-vulnwhisperer-*",
"version": 2019041701,
"mappings": { "mappings": {
"doc": { "doc": {
"properties": { "properties": {
@ -22,9 +23,6 @@
"asset_uuid": { "asset_uuid": {
"type": "keyword" "type": "keyword"
}, },
"assign_ip": {
"type": "ip"
},
"category": { "category": {
"type": "keyword" "type": "keyword"
}, },
@ -34,7 +32,7 @@
"cvss_base": { "cvss_base": {
"type": "float" "type": "float"
}, },
"cvss_temporal_vector": { "cvss_severity": {
"type": "keyword" "type": "keyword"
}, },
"cvss_temporal": { "cvss_temporal": {
@ -49,7 +47,7 @@
"cvss3_base": { "cvss3_base": {
"type": "float" "type": "float"
}, },
"cvss3_temporal_vector": { "cvss3_severity": {
"type": "keyword" "type": "keyword"
}, },
"cvss3_temporal": { "cvss3_temporal": {
@ -117,24 +115,14 @@
"host_start": { "host_start": {
"type": "date" "type": "date"
}, },
"impact": {
"fields": {
"keyword": {
"ignore_above": 256,
"type": "keyword"
}
},
"norms": false,
"type": "text"
},
"ip_status": {
"type": "keyword"
},
"ip": { "ip": {
"type": "ip" "type": "ip"
}, },
"last_updated": { "mac_address": {
"type": "date" "type": "keyword"
},
"netbios": {
"type": "keyword"
}, },
"operating_system": { "operating_system": {
"type": "keyword" "type": "keyword"
@ -170,18 +158,9 @@
"protocol": { "protocol": {
"type": "keyword" "type": "keyword"
}, },
"results": {
"type": "text"
},
"risk_number": { "risk_number": {
"type": "integer" "type": "integer"
}, },
"risk_score_name": {
"type": "keyword"
},
"risk_score": {
"type": "float"
},
"risk": { "risk": {
"type": "keyword" "type": "keyword"
}, },
@ -191,41 +170,32 @@
"scan_name": { "scan_name": {
"type": "keyword" "type": "keyword"
}, },
"scan_reference": { "scan_source": {
"type": "keyword" "type": "keyword"
}, },
"see_also": { "severity": {
"type": "keyword" "type": "keyword"
}, },
"solution": { "solution": {
"type": "keyword" "type": "keyword"
}, },
"source": { "ssl": {
"type": "keyword" "type": "keyword"
}, },
"ssl": { "state": {
"type": "keyword" "type": "keyword"
}, },
"synopsis": { "synopsis": {
"type": "keyword" "type": "keyword"
}, },
"system_type": {
"type": "keyword"
},
"tags": { "tags": {
"type": "keyword" "type": "keyword"
}, },
"threat": {
"type": "text"
},
"type": { "type": {
"type": "keyword" "type": "keyword"
}, },
"vendor_reference": { "vendor_reference": {
"type": "keyword" "type": "keyword"
},
"vulnerability_state": {
"type": "keyword"
} }
} }
} }

20
tests/test-docker.sh
View File

@ -29,13 +29,13 @@ done
green "✅ Elasticsearch status is green..." green "✅ Elasticsearch status is green..."
count=0 count=0
until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1236 ]]; do until [[ $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; do
yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1236 (attempt $count of 60)" yellow "Waiting for Logstash load to finish... $(curl -s "$logstash_url/_node/stats" | jq '.events.out') of 1232 (attempt $count of 60)"
((count++)) && ((count==60)) && break ((count++)) && ((count==60)) && break
sleep 5 sleep 5
done done
if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1236 ]]; then if [[ count -le 60 && $(curl -s "$logstash_url/_node/stats" | jq '.events.out') -ge 1232 ]]; then
green "✅ Logstash load finished..." green "✅ Logstash load finished..."
else else
red "❌ Logstash load didn't complete... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')" red "❌ Logstash load didn't complete... $(curl -s "$logstash_url/_node/stats" | jq '.events.out')"
@ -49,7 +49,7 @@ until [[ $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" |
sleep 2 sleep 2
done done
if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') -ge 1232 ]]; then if [[ count -le 50 && $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') -ge 1232 ]]; then
green "✅ logstash-vulnwhisperer-2019.03 document count >= 1232" green "✅ logstash-vulnwhisperer-2019.03 document count $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq '.count') >= 1232"
else else
red "❌ TIMED OUT waiting for logstash-vulnwhisperer-2019.03 document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq) != 1232" red "❌ TIMED OUT waiting for logstash-vulnwhisperer-2019.03 document count: $(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_count" | jq) != 1232"
fi fi
@ -63,10 +63,10 @@ fi
# Test Nessus plugin_name:Backported Security Patch Detection (FTP) # Test Nessus plugin_name:Backported Security Patch Detection (FTP)
nessus_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:nessus" | jq '.hits.hits[]._source') nessus_doc=$(curl -s "$elasticsearch_url/logstash-vulnwhisperer-2019.03/_search?q=plugin_name:%22Backported%20Security%20Patch%20Detection%20(FTP)%22%20AND%20asset:176.28.50.164%20AND%20tags:nessus" | jq '.hits.hits[]._source')
if echo $nessus_doc | jq '.risk' | grep -q "None"; then if echo $nessus_doc | jq '.risk' | grep -q "none"; then
green "✅ Passed: Nessus risk == None" green "✅ Passed: Nessus risk == none"
else else
red "❌ Failed: Nessus risk == None was: $(echo $nessus_doc | jq '.risk') instead" red "❌ Failed: Nessus risk == none was: $(echo $nessus_doc | jq '.risk') instead"
((return_code = return_code + 1)) ((return_code = return_code + 1))
fi fi
@ -99,10 +99,10 @@ else
fi fi
# Test @XXXX # Test @XXXX
if echo $qualys_vuln_doc | jq '.cvss' | grep -q '6.8'; then if echo $qualys_vuln_doc | jq '.cvss' | grep -q '5.6'; then
green "✅ Passed: Qualys VM cvss == 6.8" green "✅ Passed: Qualys VM cvss == 5.6"
else else
red "❌ Failed: Qualys VM cvss == 6.8 was: $(echo $qualys_vuln_doc | jq '.cvss') instead" red "❌ Failed: Qualys VM cvss == 5.6 was: $(echo $qualys_vuln_doc | jq '.cvss') instead"
((return_code = return_code + 1)) ((return_code = return_code + 1))
fi fi