Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move to a common normalisation function

Browse Source
This commit is contained in:
pemontto
2019-04-15 21:12:07 +10:00
parent dd66414fe7
commit ee327874e5
6 changed files with 102 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

41
resources/elk6/pipeline/1000_nessus_process_file.conf
View File

@ -40,59 +40,42 @@ filter {
tag_on_failure => []
}
translate {
field => "[risk]"
destination => "[risk_number]"
dictionary => {
"None" => 0
"Low" => 1
"Medium" => 2
"High" => 3
"Critical" => 4
}
}
mutate {
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "cvss" => "float"}
convert => { "cvss_base" => "float"}
convert => { "cvss_temporal" => "float"}
convert => { "cvss" => "float"}
convert => { "cvss3" => "float"}
convert => { "cvss3_base" => "float"}
convert => { "cvss3_temporal" => "float"}
convert => { "cvss3" => "float"}
convert => { "id" => "integer"}
convert => { "plugin_id" => "integer"}
convert => { "risk_number" => "integer"}
convert => { "risk_score" => "float"}
convert => { "total_times_detected" => "integer"}
}
if [risk_score] == 0 {
if [cvss] == 0 {
mutate {
add_field => { "risk_score_name" => "info" }
add_field => { "cvss_severity" => "info" }
}
}
if [risk_score] > 0 and [risk_score] < 3 {
if [cvss] > 0 and [cvss] < 3 {
mutate {
add_field => { "risk_score_name" => "low" }
add_field => { "cvss_severity" => "low" }
}
}
if [risk_score] >= 3 and [risk_score] < 6 {
if [cvss] >= 3 and [cvss] < 6 {
mutate {
add_field => { "risk_score_name" => "medium" }
add_field => { "cvss_severity" => "medium" }
}
}
if [risk_score] >=6 and [risk_score] < 9 {
if [cvss] >=6 and [cvss] < 9 {
mutate {
add_field => { "risk_score_name" => "high" }
add_field => { "cvss_severity" => "high" }
}
}
if [risk_score] >= 9 {
if [cvss] >= 9 {
mutate {
add_field => { "risk_score_name" => "critical" }
add_field => { "cvss_severity" => "critical" }
}
}
}

41
resources/elk6/pipeline/2000_qualys_web_scans.conf
View File

@ -30,18 +30,6 @@ filter {
tag_on_failure => []
}
translate {
field => "[risk_number]"
destination => "[risk]"
dictionary => {
"0" => "Info"
"1" => "Low"
"2" => "Medium"
"3" => "High"
"4" => "Critical"
}
}
if "qualys_web" in [tags] {
mutate {
add_field => { "asset" => "%{web_application_name}" }
@ -49,46 +37,41 @@ filter {
}
mutate {
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "cvss" => "float"}
convert => { "cvss_base" => "float"}
convert => { "cvss_temporal" => "float"}
convert => { "cvss" => "float"}
convert => { "cvss3" => "float"}
convert => { "cvss3_base" => "float"}
convert => { "cvss3_temporal" => "float"}
convert => { "cvss3" => "float"}
convert => { "id" => "integer"}
convert => { "plugin_id" => "integer"}
convert => { "risk_number" => "integer"}
convert => { "risk_score" => "float"}
convert => { "total_times_detected" => "integer"}
}
if [risk_score] == 0 {
if [cvss] == 0 {
mutate {
add_field => { "risk_score_name" => "info" }
add_field => { "cvss_severity" => "info" }
}
}
if [risk_score] > 0 and [risk_score] < 3 {
if [cvss] > 0 and [cvss] < 3 {
mutate {
add_field => { "risk_score_name" => "low" }
add_field => { "cvss_severity" => "low" }
}
}
if [risk_score] >= 3 and [risk_score] < 6 {
if [cvss] >= 3 and [cvss] < 6 {
mutate {
add_field => { "risk_score_name" => "medium" }
add_field => { "cvss_severity" => "medium" }
}
}
if [risk_score] >=6 and [risk_score] < 9 {
if [cvss] >=6 and [cvss] < 9 {
mutate {
add_field => { "risk_score_name" => "high" }
add_field => { "cvss_severity" => "high" }
}
}
if [risk_score] >= 9 {
if [cvss] >= 9 {
mutate {
add_field => { "risk_score_name" => "critical" }
add_field => { "cvss_severity" => "critical" }
}
}

30
resources/elk6/pipeline/3000_openvas.conf
View File

@ -94,48 +94,44 @@ filter {
}
mutate {
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "cvss" => "float"}
convert => { "cvss_base" => "float"}
convert => { "cvss_temporal" => "float"}
convert => { "cvss" => "float"}
convert => { "cvss3" => "float"}
convert => { "cvss3_base" => "float"}
convert => { "cvss3_temporal" => "float"}
convert => { "cvss3" => "float"}
convert => { "id" => "integer"}
convert => { "plugin_id" => "integer"}
convert => { "risk_number" => "integer"}
convert => { "risk_score" => "float"}
convert => { "total_times_detected" => "integer"}
}
if [risk_score] == 0 {
if [cvss] == 0 {
mutate {
add_field => { "risk_score_name" => "info" }
add_field => { "cvss_severity" => "info" }
}
}
if [risk_score] > 0 and [risk_score] < 3 {
if [cvss] > 0 and [cvss] < 3 {
mutate {
add_field => { "risk_score_name" => "low" }
add_field => { "cvss_severity" => "low" }
}
}
if [risk_score] >= 3 and [risk_score] < 6 {
if [cvss] >= 3 and [cvss] < 6 {
mutate {
add_field => { "risk_score_name" => "medium" }
add_field => { "cvss_severity" => "medium" }
}
}
if [risk_score] >=6 and [risk_score] < 9 {
if [cvss] >=6 and [cvss] < 9 {
mutate {
add_field => { "risk_score_name" => "high" }
add_field => { "cvss_severity" => "high" }
}
}
if [risk_score] >= 9 {
if [cvss] >= 9 {
mutate {
add_field => { "risk_score_name" => "critical" }
add_field => { "cvss_severity" => "critical" }
}
}
# Add your critical assets by subnet or by hostname. Comment this field out if you don't want to tag any, but the asset panel will break.
if [asset] =~ "^10\.0\.100\." {
mutate {