196 lines
5.8 KiB
Plaintext
196 lines
5.8 KiB
Plaintext
# Author: Austin Taylor and Justin Henderson
|
|
# Email: email@austintaylor.io
|
|
# Last Update: 12/20/2017
|
|
# Version 0.3
|
|
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
|
|
|
|
|
|
input {
|
|
file {
|
|
path => "/opt/VulnWhisperer/data/nessus/**/*.json"
|
|
start_position => "beginning"
|
|
tags => "nessus"
|
|
type => "nessus"
|
|
codec => json
|
|
}
|
|
file {
|
|
path => "/opt/VulnWhisperer/data/tenable/*.json"
|
|
start_position => "beginning"
|
|
tags => "nessus"
|
|
type => "nessus"
|
|
codec => json
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if "nessus" in [tags] or "tenable" in [tags] {
|
|
|
|
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
|
grok {
|
|
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.(csv|json)$" }
|
|
tag_on_failure => []
|
|
}
|
|
|
|
date {
|
|
match => [ "last_updated", "UNIX" ]
|
|
target => "@timestamp"
|
|
remove_field => ["last_updated"]
|
|
}
|
|
|
|
if [risk] == "None" {
|
|
mutate { add_field => { "risk_number" => 0 }}
|
|
}
|
|
if [risk] == "Low" {
|
|
mutate { add_field => { "risk_number" => 1 }}
|
|
}
|
|
if [risk] == "Medium" {
|
|
mutate { add_field => { "risk_number" => 2 }}
|
|
}
|
|
if [risk] == "High" {
|
|
mutate { add_field => { "risk_number" => 3 }}
|
|
}
|
|
if [risk] == "Critical" {
|
|
mutate { add_field => { "risk_number" => 4 }}
|
|
}
|
|
|
|
if ![cve] or [cve] == "nan" {
|
|
mutate { remove_field => [ "cve" ] }
|
|
}
|
|
if ![cvss] or [cvss] == "nan" {
|
|
mutate { remove_field => [ "cvss" ] }
|
|
}
|
|
if ![cvss_base] or [cvss_base] == "nan" {
|
|
mutate { remove_field => [ "cvss_base" ] }
|
|
}
|
|
if ![cvss_temporal] or [cvss_temporal] == "nan" {
|
|
mutate { remove_field => [ "cvss_temporal" ] }
|
|
}
|
|
if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss_temporal_vector" ] }
|
|
}
|
|
if ![cvss_vector] or [cvss_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss_vector" ] }
|
|
}
|
|
if ![cvss3_base] or [cvss3_base] == "nan" {
|
|
mutate { remove_field => [ "cvss3_base" ] }
|
|
}
|
|
if ![cvss3_temporal] or [cvss3_temporal] == "nan" {
|
|
mutate { remove_field => [ "cvss3_temporal" ] }
|
|
}
|
|
if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss3_temporal_vector" ] }
|
|
}
|
|
if ![description] or [description] == "nan" {
|
|
mutate { remove_field => [ "description" ] }
|
|
}
|
|
if ![mac_address] or [mac_address] == "nan" {
|
|
mutate { remove_field => [ "mac_address" ] }
|
|
}
|
|
if ![netbios] or [netbios] == "nan" {
|
|
mutate { remove_field => [ "netbios" ] }
|
|
}
|
|
if ![operating_system] or [operating_system] == "nan" {
|
|
mutate { remove_field => [ "operating_system" ] }
|
|
}
|
|
if ![plugin_output] or [plugin_output] == "nan" {
|
|
mutate { remove_field => [ "plugin_output" ] }
|
|
}
|
|
if ![see_also] or [see_also] == "nan" {
|
|
mutate { remove_field => [ "see_also" ] }
|
|
}
|
|
if ![synopsis] or [synopsis] == "nan" {
|
|
mutate { remove_field => [ "synopsis" ] }
|
|
}
|
|
if ![system_type] or [system_type] == "nan" {
|
|
mutate { remove_field => [ "system_type" ] }
|
|
}
|
|
|
|
mutate {
|
|
remove_field => [ "message" ]
|
|
add_field => { "risk_score" => "%{cvss}" }
|
|
}
|
|
mutate {
|
|
convert => { "risk_score" => "float" }
|
|
}
|
|
if [risk_score] == 0 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "info" }
|
|
}
|
|
}
|
|
if [risk_score] > 0 and [risk_score] < 3 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "low" }
|
|
}
|
|
}
|
|
if [risk_score] >= 3 and [risk_score] < 6 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "medium" }
|
|
}
|
|
}
|
|
if [risk_score] >=6 and [risk_score] < 9 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "high" }
|
|
}
|
|
}
|
|
if [risk_score] >= 9 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "critical" }
|
|
}
|
|
}
|
|
|
|
# Compensating controls - adjust risk_score
|
|
# Adobe and Java are not allowed to run in browser unless whitelisted
|
|
# Therefore, lower score by dividing by 3 (score is subjective to risk)
|
|
|
|
#Modify and uncomment when ready to use
|
|
#if [risk_score] != 0 {
|
|
# if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
|
|
# ruby {
|
|
# code => "event.set('risk_score', event.get('risk_score') / 3)"
|
|
# }
|
|
# mutate {
|
|
# add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
|
|
# }
|
|
# }
|
|
#}
|
|
|
|
# Add tags for reporting based on assets or criticality
|
|
|
|
if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." {
|
|
mutate {
|
|
add_tag => [ "critical_asset" ]
|
|
}
|
|
}
|
|
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
|
|
# mutate {
|
|
# add_tag => [ "has_hipaa_data" ]
|
|
# }
|
|
#}
|
|
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\." {
|
|
# mutate {
|
|
# add_tag => [ "hipaa_asset" ]
|
|
# }
|
|
#}
|
|
if [asset] =~ "^hr" {
|
|
mutate {
|
|
add_tag => [ "pci_asset" ]
|
|
}
|
|
}
|
|
#if [asset] =~ "^10\.0\.50\." {
|
|
# mutate {
|
|
# add_tag => [ "web_servers" ]
|
|
# }
|
|
#}
|
|
}
|
|
}
|
|
|
|
output {
|
|
if "nessus" in [tags] or "tenable" in [tags] or [type] in [ "nessus", "tenable" ] {
|
|
# stdout { codec => rubydebug }
|
|
elasticsearch {
|
|
hosts => [ "localhost:9200" ]
|
|
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
|
|
}
|
|
}
|
|
}
|