# Author: Austin Taylor and Justin Henderson # Email: email@austintaylor.io # Last Update: 05/22/2017 # Version 0.2 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash #Replace "filebeathost" with the name of your computer input { beats { port => 5044 tags => "beats" } } filter { if [beat][hostname] == "filebeathost" { mutate { add_tag => ["nessus"] } } } filter { if "nessus" in [tags]{ mutate { gsub => [ "message", "\|\|\|", " ", "message", "\t\t", " ", "message", " ", " ", "message", " ", " ", "message", " ", " " ] } csv { columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] separator => "," source => "message" } grok { match => { "source" => "(?[\\\:a-z A-Z_]*\\)(?[a-z-0-9\.A-Z_\-]*)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}" } tag_on_failure => [] } date { match => [ "last_updated" , "UNIX" ] target => "@timestamp" remove_field => ["last_updated"] } if [risk] == "None" { mutate { add_field => { "risk_number" => 0 }} } if [risk] == "Low" { mutate { add_field => { "risk_number" => 1 }} } if [risk] == "Medium" { mutate { add_field => { "risk_number" => 2 }} } if [risk] == "High" { mutate { add_field => { "risk_number" => 3 }} } if [risk] == "Critical" { mutate { add_field => { "risk_number" => 4 }} } if [cve] == "nan" { mutate { remove_field => [ "cve" ] } } if [see_also] == "nan" { mutate { remove_field => [ "see_also" ] } } if [description] == "nan" { mutate { remove_field => [ "description" ] } } if [plugin_output] == "nan" { mutate { remove_field => [ "plugin_output" ] } } if [synopsis] == "nan" { mutate { remove_field => [ "synopsis" ] } } mutate { remove_field => [ "message" ] add_field => { "risk_score" => "%{cvss}" } } mutate { convert => { "risk_score" => "float" } } # Compensating controls - adjust risk_score # Adobe and Java are not allowed to run in browser unless whitelisted # Therefore, lower score by dividing by 3 (score is subjective to risk) if [risk_score] != 0 { if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { ruby { code => "event.set('risk_score', event.get('risk_score') / 3)" } mutate { add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } } } } # Add tags for reporting based on assets or criticality if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." { mutate { add_tag => [ "critical_asset" ] } } if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ mutate { add_tag => [ "has_hipaa_data" ] } } if [host] =~ "^192\.168\.[45][0-9][0-9]\." { mutate { add_tag => [ "hipaa_asset" ] } } if [host] =~ "^192\.168\.5\." { mutate { add_tag => [ "pci_asset" ] } if [host] =~ "^10\.0\.50\." { mutate { add_tag => [ "web_servers" ] } } } } } output { if "nessus" in [tags] or [type] == "nessus" { #stdout { codec => rubydebug } elasticsearch { hosts => [ "localhost" ] index => "logstash-nessus-%{+YYYY.MM}" } } }