# Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io
# Last Update: 12/20/2017
# Version 0.3
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash

input {
  file {
    path => "/opt/vulnwhisp/nessus/**/*"
    start_position => "beginning"
    tags => "nessus"
    type => "nessus"
  }
}

filter {
  if "nessus" in [tags]{
    mutate {
      gsub => [
        "message", "\|\|\|", " ",
        "message", "\t\t", " ",
        "message", "    ", " ",
        "message", "   ", " ",
        "message", "  ", " "
      ]
    }

    csv {
      columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
      separator => ","
      source => "message"
    }

    grok {
      match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" }
      tag_on_failure => []
    }

    date {
      match => [ "last_updated", "UNIX" ]
      target => "@timestamp"
      remove_field => ["last_updated"]
    }

    if [risk] == "None" {
      mutate { add_field => { "risk_number" => 0 }}
    }
    if [risk] == "Low" {
      mutate { add_field => { "risk_number" => 1 }}
    }
    if [risk] == "Medium" {
      mutate { add_field => { "risk_number" => 2 }}
    }
    if [risk] == "High" {
      mutate { add_field => { "risk_number" => 3 }}
    }
    if [risk] == "Critical" {
      mutate { add_field => { "risk_number" => 4 }}
    }
    
    if [cve] == "nan" {
      mutate { remove_field => [ "cve" ] }
    }
    if [see_also] == "nan" {
      mutate { remove_field => [ "see_also" ] }
    }
    if [description] == "nan" {
      mutate { remove_field => [ "description" ] }
    }
    if [plugin_output] == "nan" {
      mutate { remove_field => [ "plugin_output" ] }
    }
    if [synopsis] == "nan" {
      mutate { remove_field => [ "synopsis" ] }
    }

    mutate {
      remove_field => [ "message" ]
      add_field => { "risk_score" => "%{cvss}" }
    }
    mutate {
      convert => { "risk_score" => "float" }
    }

    # Compensating controls - adjust risk_score
    # Adobe and Java are not allowed to run in browser unless whitelisted
    # Therefore, lower score by dividing by 3 (score is subjective to risk)
    
    #Modify and uncomment when ready to use
    #if [risk_score] != 0 {
    #  if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
    #    ruby {
    #      code => "event.set('risk_score', event.get('risk_score') / 3)"
    #    }
    #    mutate {
    #      add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
    #    }
    #  }
    #}

    # Add tags for reporting based on assets or criticality

    #if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
    #  mutate {
    #    add_tag => [ "critical_asset" ]
    #  }
    #}
    #if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
    #  mutate {
    #    add_tag => [ "has_hipaa_data" ]
    #  }
    #}
    #if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
    #  mutate {
    #    add_tag => [ "hipaa_asset" ]
    #  }
    #}
    #if [host] =~ "^192\.168\.5\." {
    #  mutate {
    #    add_tag => [ "pci_asset" ]
    #  }
    #}
    #if [host] =~ "^10\.0\.50\." {
    #  mutate {
    #    add_tag => [ "web_servers" ]
    #  }
    #}
  }
}

output {
  if "nessus" in [tags] or [type] == "nessus" {
    #stdout { codec => rubydebug }
    elasticsearch {
      hosts => [ "localhost:9200" ]
      index => "logstash-vulnwhisperer-%{+YYYY.MM}"
    }
  }
}