Cyberdefense/VulnWhisperer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
10f88097230a9444320382a4c22a952e56bdfd18
VulnWhisperer/logstash/1000_nessus_preprocess_nessus.conf
Austin Taylor fedbb18bb2 Visualizations for elastic 5.5+
2017-10-06 15:35:59 -04:00

142 lines
3.8 KiB
Plaintext
Executable File
Raw Blame History

# Author: Austin Taylor and Justin Henderson
# Email: email@austintaylor.io
# Last Update: 05/22/2017
# Version 0.2
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
#Replace "filebeathost" with the name of your computer
input {
beats {
port => 5044
tags => "beats"
}
}
filter {
if [beat][hostname] == "filebeathost" {
mutate {
add_tag => ["nessus"]
}
}
}
filter {
if "nessus" in [tags]{
mutate {
gsub => [
"message", "\|\|\|", " ",
"message", "\t\t", " ",
"message", " ", " ",
"message", " ", " ",
"message", " ", " "
]
}
csv {
columns => ["plugin_id", "cve", "cvss", "risk", "host", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
separator => ","
source => "message"
}
grok {
match => { "source" => "(?<file_path>[\\\:a-z A-Z_]*\\)(?<scan_name>[a-z-0-9\.A-Z_\-]*)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}" }
tag_on_failure => []
}
date {
match => [ "last_updated" , "UNIX" ]
target => "@timestamp"
remove_field => ["last_updated"]
}
if [risk] == "None" {
mutate { add_field => { "risk_number" => 0 }}
}
if [risk] == "Low" {
mutate { add_field => { "risk_number" => 1 }}
}
if [risk] == "Medium" {
mutate { add_field => { "risk_number" => 2 }}
}
if [risk] == "High" {
mutate { add_field => { "risk_number" => 3 }}
}
if [risk] == "Critical" {
mutate { add_field => { "risk_number" => 4 }}
}
if [cve] == "nan" {
mutate { remove_field => [ "cve" ] }
}
if [see_also] == "nan" {
mutate { remove_field => [ "see_also" ] }
}
if [description] == "nan" {
mutate { remove_field => [ "description" ] }
}
if [plugin_output] == "nan" {
mutate { remove_field => [ "plugin_output" ] }
}
if [synopsis] == "nan" {
mutate { remove_field => [ "synopsis" ] }
}
mutate {
remove_field => [ "message" ]
add_field => { "risk_score" => "%{cvss}" }
}
mutate {
convert => { "risk_score" => "float" }
}
# Compensating controls - adjust risk_score
# Adobe and Java are not allowed to run in browser unless whitelisted
# Therefore, lower score by dividing by 3 (score is subjective to risk)
if [risk_score] != 0 {
if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
ruby {
code => "event.set('risk_score', event.get('risk_score') / 3)"
}
mutate {
add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
}
}
}
# Add tags for reporting based on assets or criticality
if [host] == "192.168.0.1" or [host] == "192.168.0.50" or [host] =~ "^192\.168\.10\." or [host] =~ "^42.42.42." {
mutate {
add_tag => [ "critical_asset" ]
}
}
if [host] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [host] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
mutate {
add_tag => [ "has_hipaa_data" ]
}
}
if [host] =~ "^192\.168\.[45][0-9][0-9]\." {
mutate {
add_tag => [ "hipaa_asset" ]
}
}
if [host] =~ "^192\.168\.5\." {
mutate {
add_tag => [ "pci_asset" ]
}
if [host] =~ "^10\.0\.50\." {
mutate {
add_tag => [ "web_servers" ]
}
}
}
}
}
output {
if "nessus" in [tags] or [type] == "nessus" {
#stdout { codec => rubydebug }
elasticsearch {
hosts => [ "localhost" ]
index => "logstash-nessus-%{+YYYY.MM}"
}
}
}
Reference in New Issue View Git Blame Copy Permalink