# Author: Austin Taylor and Justin Henderson # Email: email@austintaylor.io # Last Update: 12/20/2017 # Version 0.3 # Description: Take in nessus reports from vulnWhisperer and pumps into logstash input { file { path => "/opt/vulnwhisperer/nessus/**/*" start_position => "beginning" tags => "nessus" type => "nessus" } } filter { if "nessus" in [tags]{ # Drop the header column if [message] =~ "^Plugin ID" { drop {} } mutate { gsub => [ "message", "\|\|\|", " ", "message", "\t\t", " ", "message", " ", " ", "message", " ", " ", "message", " ", " " ] } csv { columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"] separator => "," source => "message" } grok { match => { "path" => "(?[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" } tag_on_failure => [] } date { match => [ "last_updated", "UNIX" ] target => "@timestamp" remove_field => ["last_updated"] } if [risk] == "None" { mutate { add_field => { "risk_number" => 0 }} } if [risk] == "Low" { mutate { add_field => { "risk_number" => 1 }} } if [risk] == "Medium" { mutate { add_field => { "risk_number" => 2 }} } if [risk] == "High" { mutate { add_field => { "risk_number" => 3 }} } if [risk] == "Critical" { mutate { add_field => { "risk_number" => 4 }} } if [cve] == "nan" { mutate { remove_field => [ "cve" ] } } if [cvss] == "nan" { mutate { remove_field => [ "cvss" ] } } if [see_also] == "nan" { mutate { remove_field => [ "see_also" ] } } if [description] == "nan" { mutate { remove_field => [ "description" ] } } if [plugin_output] == "nan" { mutate { remove_field => [ "plugin_output" ] } } if [synopsis] == "nan" { mutate { remove_field => [ "synopsis" ] } } mutate { remove_field => [ "message" ] add_field => { "risk_score" => "%{cvss}" } } mutate { convert => { "risk_score" => "float" } } if [risk_score] == 0 { mutate { add_field => { "risk_score_name" => "info" } } } if [risk_score] > 0 and [risk_score] < 3 { mutate { add_field => { "risk_score_name" => "low" } } } if [risk_score] >= 3 and [risk_score] < 6 { mutate { add_field => { "risk_score_name" => "medium" } } } if [risk_score] >=6 and [risk_score] < 9 { mutate { add_field => { "risk_score_name" => "high" } } } if [risk_score] >= 9 { mutate { add_field => { "risk_score_name" => "critical" } } } # Compensating controls - adjust risk_score # Adobe and Java are not allowed to run in browser unless whitelisted # Therefore, lower score by dividing by 3 (score is subjective to risk) #Modify and uncomment when ready to use #if [risk_score] != 0 { # if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 { # ruby { # code => "event.set('risk_score', event.get('risk_score') / 3)" # } # mutate { # add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." } # } # } #} # Add tags for reporting based on assets or criticality if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." { mutate { add_tag => [ "critical_asset" ] } } #if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{ # mutate { # add_tag => [ "has_hipaa_data" ] # } #} #if [asset] =~ "^192\.168\.[45][0-9][0-9]\." { # mutate { # add_tag => [ "hipaa_asset" ] # } #} if [asset] =~ "^hr" { mutate { add_tag => [ "pci_asset" ] } } #if [asset] =~ "^10\.0\.50\." { # mutate { # add_tag => [ "web_servers" ] # } #} } } output { if "nessus" in [tags] or [type] == "nessus" { #stdout { codec => rubydebug } elasticsearch { hosts => [ "localhost:9200" ] index => "logstash-vulnwhisperer-%{+YYYY.MM}" } } }