From ca5500add41d8cd8215400ee644d1d5c392b2abd Mon Sep 17 00:00:00 2001 From: pemontto Date: Mon, 15 Apr 2019 22:02:33 +1000 Subject: [PATCH] cvss mapping moved to vulnwhisperer --- .../pipeline/1000_nessus_process_file.conf | 26 ------------- .../elk6/pipeline/2000_qualys_web_scans.conf | 26 ------------- resources/elk6/pipeline/3000_openvas.conf | 39 ------------------- 3 files changed, 91 deletions(-) diff --git a/resources/elk6/pipeline/1000_nessus_process_file.conf b/resources/elk6/pipeline/1000_nessus_process_file.conf index 335dd20..f22ade4 100644 --- a/resources/elk6/pipeline/1000_nessus_process_file.conf +++ b/resources/elk6/pipeline/1000_nessus_process_file.conf @@ -52,32 +52,6 @@ filter { convert => { "risk_number" => "integer"} convert => { "total_times_detected" => "integer"} } - - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } } } diff --git a/resources/elk6/pipeline/2000_qualys_web_scans.conf b/resources/elk6/pipeline/2000_qualys_web_scans.conf index 6a4e11f..02fe101 100644 --- a/resources/elk6/pipeline/2000_qualys_web_scans.conf +++ b/resources/elk6/pipeline/2000_qualys_web_scans.conf @@ -49,32 +49,6 @@ filter { convert => { "total_times_detected" => "integer"} } - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } - if [first_time_detected] { date { match => [ "first_time_detected", "dd MMM yyyy HH:mma 'GMT'ZZ", "dd MMM yyyy HH:mma 'GMT'" ] diff --git a/resources/elk6/pipeline/3000_openvas.conf b/resources/elk6/pipeline/3000_openvas.conf index 97b91ea..5a3b7d3 100644 --- a/resources/elk6/pipeline/3000_openvas.conf +++ b/resources/elk6/pipeline/3000_openvas.conf @@ -106,51 +106,12 @@ filter { convert => { "total_times_detected" => "integer"} } - if [cvss] == 0 { - mutate { - add_field => { "cvss_severity" => "info" } - } - } - if [cvss] > 0 and [cvss] < 3 { - mutate { - add_field => { "cvss_severity" => "low" } - } - } - if [cvss] >= 3 and [cvss] < 6 { - mutate { - add_field => { "cvss_severity" => "medium" } - } - } - if [cvss] >=6 and [cvss] < 9 { - mutate { - add_field => { "cvss_severity" => "high" } - } - } - if [cvss] >= 9 { - mutate { - add_field => { "cvss_severity" => "critical" } - } - } - # Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break. if [asset] =~ "^10\.0\.100\." { mutate { add_tag => [ "critical_asset" ] } } - mutate { - convert => { "plugin_id" => "integer"} - convert => { "id" => "integer"} - convert => { "risk_number" => "integer"} - convert => { "risk_score" => "float"} - convert => { "total_times_detected" => "integer"} - convert => { "cvss" => "float"} - convert => { "cvss_base" => "float"} - convert => { "cvss_temporal" => "float"} - convert => { "cvss3" => "float"} - convert => { "cvss3_base" => "float"} - convert => { "cvss3_temporal" => "float"} - } } } output {