Add logstash config for local file pickup

logstash/1000_nessus_process_file.conf

@@ -0,0 +1,136 @@
+# Author: Austin Taylor and Justin Henderson
+# Email: email@austintaylor.io
+# Last Update: 08/04/2017
+# Version 0.2
+# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
+
+input {
+  file {
+    path => "/opt/vulnwhisp/scans/My Scans/*"
+    start_position => "beginning"
+    tags => "nessus"
+    type => "nessus"
+  }
+}
+
+filter {
+  if "nessus" in [tags]{
+    mutate {
+      gsub => [
+        "message", "\|\|\|", " ",
+        "message", "\t\t", " ",
+        "message", "    ", " ",
+        "message", "   ", " ",
+        "message", "  ", " "
+      ]
+    }
+
+    csv {
+      columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
+      separator => ","
+      source => "message"
+    }
+
+    grok {
+      match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" }
+      tag_on_failure => []
+    }
+
+    date {
+      match => [ "last_updated", "UNIX" ]
+      target => "@timestamp"
+      remove_field => ["last_updated"]
+    }
+
+    if [risk] == "None" {
+      mutate { add_field => { "risk_number" => 0 }}
+    }
+    if [risk] == "Low" {
+      mutate { add_field => { "risk_number" => 1 }}
+    }
+    if [risk] == "Medium" {
+      mutate { add_field => { "risk_number" => 2 }}
+    }
+    if [risk] == "High" {
+      mutate { add_field => { "risk_number" => 3 }}
+    }
+    if [risk] == "Critical" {
+      mutate { add_field => { "risk_number" => 4 }}
+    }
+    
+    if [cve] == "nan" {
+      mutate { remove_field => [ "cve" ] }
+    }
+    if [see_also] == "nan" {
+      mutate { remove_field => [ "see_also" ] }
+    }
+    if [description] == "nan" {
+      mutate { remove_field => [ "description" ] }
+    }
+    if [plugin_output] == "nan" {
+      mutate { remove_field => [ "plugin_output" ] }
+    }
+    if [synopsis] == "nan" {
+      mutate { remove_field => [ "synopsis" ] }
+    }
+
+    mutate {
+      remove_field => [ "message" ]
+      add_field => { "risk_score" => "%{cvss}" }
+    }
+    mutate {
+      convert => { "risk_score" => "float" }
+    }
+
+    # Compensating controls - adjust risk_score
+    # Adobe and Java are not allowed to run in browser unless whitelisted
+    # Therefore, lower score by dividing by 3 (score is subjective to risk)
+    if [risk_score] != 0 {
+      if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
+        ruby {
+          code => "event.set('risk_score', event.get('risk_score') / 3)"
+        }
+        mutate {
+          add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
+        }
+      }
+    }
+
+    # Add tags for reporting based on assets or criticality
+    if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
+      mutate {
+        add_tag => [ "critical_asset" ]
+      }
+    }
+    if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
+      mutate {
+        add_tag => [ "has_hipaa_data" ]
+      }
+    }
+    if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
+      mutate {
+        add_tag => [ "hipaa_asset" ]
+      }
+    }
+    if [host] =~ "^192\.168\.5\." {
+      mutate {
+        add_tag => [ "pci_asset" ]
+      }
+    }
+    if [host] =~ "^10\.0\.50\." {
+      mutate {
+        add_tag => [ "web_servers" ]
+      }
+    }
+  }
+}
+
+output {
+  if "nessus" in [tags] or [type] == "nessus" {
+    #stdout { codec => rubydebug }
+    elasticsearch {
+      hosts => [ "localhost:9200" ]
+      index => "logstash-nessus-%{+YYYY.MM}"
+    }
+  }
+}