Allow for any directories to be monitored
This commit is contained in:
Austin Taylor
@ -1,12 +1,12 @@
|
||||
# Author: Austin Taylor and Justin Henderson
|
||||
# Email: email@austintaylor.io
|
||||
# Last Update: 08/04/2017
|
||||
# Version 0.2
|
||||
# Last Update: 12/20/2017
|
||||
# Version 0.3
|
||||
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
|
||||
|
||||
input {
|
||||
file {
|
||||
path => "/opt/vulnwhisp/scans/My Scans/*"
|
||||
path => "/opt/vulnwhisp/scans/**/*"
|
||||
start_position => "beginning"
|
||||
tags => "nessus"
|
||||
type => "nessus"
|
||||
@ -85,43 +85,46 @@ filter {
|
||||
# Compensating controls - adjust risk_score
|
||||
# Adobe and Java are not allowed to run in browser unless whitelisted
|
||||
# Therefore, lower score by dividing by 3 (score is subjective to risk)
|
||||
if [risk_score] != 0 {
|
||||
if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
|
||||
ruby {
|
||||
code => "event.set('risk_score', event.get('risk_score') / 3)"
|
||||
}
|
||||
mutate {
|
||||
add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
#Modify and uncomment when ready to use
|
||||
#if [risk_score] != 0 {
|
||||
# if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
|
||||
# ruby {
|
||||
# code => "event.set('risk_score', event.get('risk_score') / 3)"
|
||||
# }
|
||||
# mutate {
|
||||
# add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
|
||||
# }
|
||||
# }
|
||||
#}
|
||||
|
||||
# Add tags for reporting based on assets or criticality
|
||||
if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
|
||||
mutate {
|
||||
add_tag => [ "critical_asset" ]
|
||||
}
|
||||
}
|
||||
if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
|
||||
mutate {
|
||||
add_tag => [ "has_hipaa_data" ]
|
||||
}
|
||||
}
|
||||
if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
|
||||
mutate {
|
||||
add_tag => [ "hipaa_asset" ]
|
||||
}
|
||||
}
|
||||
if [host] =~ "^192\.168\.5\." {
|
||||
mutate {
|
||||
add_tag => [ "pci_asset" ]
|
||||
}
|
||||
}
|
||||
if [host] =~ "^10\.0\.50\." {
|
||||
mutate {
|
||||
add_tag => [ "web_servers" ]
|
||||
}
|
||||
}
|
||||
|
||||
#if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
|
||||
# mutate {
|
||||
# add_tag => [ "critical_asset" ]
|
||||
# }
|
||||
#}
|
||||
#if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
|
||||
# mutate {
|
||||
# add_tag => [ "has_hipaa_data" ]
|
||||
# }
|
||||
#}
|
||||
#if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
|
||||
# mutate {
|
||||
# add_tag => [ "hipaa_asset" ]
|
||||
# }
|
||||
#}
|
||||
#if [host] =~ "^192\.168\.5\." {
|
||||
# mutate {
|
||||
# add_tag => [ "pci_asset" ]
|
||||
# }
|
||||
#}
|
||||
#if [host] =~ "^10\.0\.50\." {
|
||||
# mutate {
|
||||
# add_tag => [ "web_servers" ]
|
||||
# }
|
||||
#}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user