# Author: Austin Taylor and Justin Henderson # Email: email@austintaylor.io # Last Update: 12/20/2017 # Version 0.3 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash input { file { path => "/opt/VulnWhisperer/data/nessus/**/*" mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "nessus" } file { path => "/opt/VulnWhisperer/data/tenable/*.csv" mode => "read" start_position => "beginning" file_completed_action => "delete" tags => "tenable" } } filter { if "nessus" in [tags] or "tenable" in [tags] { # Drop the header column if [message] =~ "^Plugin ID" { drop {} } csv { # columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"] separator => "," source => "message" } ruby { code => "if event.get('description') event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) end if event.get('synopsis') event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) end if event.get('solution') event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) end if event.get('see_also') event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) end if event.get('plugin_output') event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr)) end" } #If using filebeats as your source, you will need to replace the "path" field to "source" # Remove when scan name is included in event (current method is error prone) grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } tag_on_failure => [] } # TODO remove when @timestamp is included in event date { match => [ "last_updated", "UNIX" ] target => "@timestamp" remove_field => ["last_updated"] } if [risk] == "None" { mutate { add_field => { "risk_number" => 0 }} } if [risk] == "Low" { mutate { add_field => { "risk_number" => 1 }} } if [risk] == "Medium" { mutate { add_field => { "risk_number" => 2 }} } if [risk] == "High" { mutate { add_field => { "risk_number" => 3 }} } if [risk] == "Critical" { mutate { add_field => { "risk_number" => 4 }} } if ![cve] or [cve] == "nan" { mutate { remove_field => [ "cve" ] } } if ![cvss] or [cvss] == "nan" { mutate { remove_field => [ "cvss" ] } } if ![cvss_base] or [cvss_base] == "nan" { mutate { remove_field => [ "cvss_base" ] } } if ![cvss_temporal] or [cvss_temporal] == "nan" { mutate { remove_field => [ "cvss_temporal" ] } } if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" { mutate { remove_field => [ "cvss_temporal_vector" ] } } if ![cvss_vector] or [cvss_vector] == "nan" { mutate { remove_field => [ "cvss_vector" ] } } if ![cvss3_base] or [cvss3_base] == "nan" { mutate { remove_field => [ "cvss3_base" ] } } if ![cvss3_temporal] or [cvss3_temporal] == "nan" { mutate { remove_field => [ "cvss3_temporal" ] } } if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" { mutate { remove_field => [ "cvss3_temporal_vector" ] } } if ![description] or [description] == "nan" { mutate { remove_field => [ "description" ] } } if ![mac_address] or [mac_address] == "nan" { mutate { remove_field => [ "mac_address" ] } } if ![netbios] or [netbios] == "nan" { mutate { remove_field => [ "netbios" ] } } if ![operating_system] or [operating_system] == "nan" { mutate { remove_field => [ "operating_system" ] } } if ![plugin_output] or [plugin_output] == "nan" { mutate { remove_field => [ "plugin_output" ] } } if ![see_also] or [see_also] == "nan" { mutate { remove_field => [ "see_also" ] } } if ![synopsis] or [synopsis] == "nan" { mutate { remove_field => [ "synopsis" ] } } if ![system_type] or [system_type] == "nan" { mutate { remove_field => [ "system_type" ] } } mutate { remove_field => [ "message" ] add_field => { "risk_score" => "%{cvss}" } } mutate { convert => { "risk_score" => "float" } } if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } } } if [risk_score] > 0 and [risk_score] < 3 { mutate { add_field => { "risk_score_name" => "low" } } } if [risk_score] >= 3 and [risk_score] < 6 { mutate { add_field => { "risk_score_name" => "medium" } } } if [risk_score] >=6 and [risk_score] < 9 { mutate { add_field => { "risk_score_name" => "high" } } } if [risk_score] >= 9 { mutate { add_field => { "risk_score_name" => "critical" } } } } } output { if "nessus" in [tags] or "tenable" in [tags]{ stdout { codec => dots } elasticsearch { hosts => [ "elasticsearch:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" } } }