Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Allow for any directories to be monitored

Browse Source
This commit is contained in:
Austin Taylor
2017-12-20 03:00:04 -05:00
committed by GitHub
parent 16369f0e40
commit a9a21c2e90
1 changed files with 41 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

79
logstash/1000_nessus_process_file.conf
View File

@ -1,12 +1,12 @@
# Author: Austin Taylor and Justin Henderson # Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io # Email: email@austintaylor.io
# Last Update: 08/04/2017 # Last Update: 12/20/2017
# Version 0.2 # Version 0.3
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash # Description: Take in nessus reports from vulnWhisperer and pumps into logstash
input { input {
file { file {
path => "/opt/vulnwhisp/scans/My Scans/*" path => "/opt/vulnwhisp/scans/**/*"
start_position => "beginning" start_position => "beginning"
tags => "nessus" tags => "nessus"
type => "nessus" type => "nessus"
@ -85,43 +85,46 @@ filter {
# Compensating controls - adjust risk_score # Compensating controls - adjust risk_score
# Adobe and Java are not allowed to run in browser unless whitelisted # Adobe and Java are not allowed to run in browser unless whitelisted
# Therefore, lower score by dividing by 3 (score is subjective to risk) # Therefore, lower score by dividing by 3 (score is subjective to risk)
if [risk_score] != 0 {
if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { #Modify and uncomment when ready to use
ruby { #if [risk_score] != 0 {
code => "event.set('risk_score', event.get('risk_score') / 3)" # if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
} # ruby {
mutate { # code => "event.set('risk_score', event.get('risk_score') / 3)"
add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } # }
} # mutate {
} # add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
} # }
# }
#}
# Add tags for reporting based on assets or criticality # Add tags for reporting based on assets or criticality
if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
mutate { #if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
add_tag => [ "critical_asset" ] # mutate {
} # add_tag => [ "critical_asset" ]
} # }
if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ #}
mutate { #if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
add_tag => [ "has_hipaa_data" ] # mutate {
} # add_tag => [ "has_hipaa_data" ]
} # }
if [host] =~ "^192\.168\.[45][0-9][0-9]\." { #}
mutate { #if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
add_tag => [ "hipaa_asset" ] # mutate {
} # add_tag => [ "hipaa_asset" ]
} # }
if [host] =~ "^192\.168\.5\." { #}
mutate { #if [host] =~ "^192\.168\.5\." {
add_tag => [ "pci_asset" ] # mutate {
} # add_tag => [ "pci_asset" ]
} # }
if [host] =~ "^10\.0\.50\." { #}
mutate { #if [host] =~ "^10\.0\.50\." {
add_tag => [ "web_servers" ] # mutate {
} # add_tag => [ "web_servers" ]
} # }
#}
} }
} }