221 lines
7.4 KiB
Plaintext
221 lines
7.4 KiB
Plaintext
# Author: Austin Taylor and Justin Henderson
|
|
# Email: email@austintaylor.io
|
|
# Last Update: 12/20/2017
|
|
# Version 0.3
|
|
# Description: Take in nessus reports from vulnWhisperer and pumps into logstash
|
|
|
|
|
|
input {
|
|
file {
|
|
path => "/opt/vulnwhisperer/nessus/**/*"
|
|
start_position => "beginning"
|
|
tags => "nessus"
|
|
type => "nessus"
|
|
}
|
|
file {
|
|
path => "/opt/vulnwhisperer/tenable/*.csv"
|
|
start_position => "beginning"
|
|
tags => "tenable"
|
|
type => "tenable"
|
|
}
|
|
}
|
|
|
|
filter {
|
|
if "nessus" in [tags] or "tenable" in [tags] {
|
|
# Drop the header column
|
|
if [message] =~ "^Plugin ID" { drop {} }
|
|
|
|
csv {
|
|
# columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output"]
|
|
columns => ["plugin_id", "cve", "cvss", "risk", "asset", "protocol", "port", "plugin_name", "synopsis", "description", "solution", "see_also", "plugin_output", "asset_uuid", "vulnerability_state", "ip", "fqdn", "netbios", "operating_system", "mac_address", "plugin_family", "cvss_base", "cvss_temporal", "cvss_temporal_vector", "cvss_vector", "cvss3_base", "cvss3_temporal", "cvss3_temporal_vector", "cvss3_vector", "system_type", "host_start", "host_end"]
|
|
separator => ","
|
|
source => "message"
|
|
}
|
|
|
|
ruby {
|
|
code => "if event.get('description')
|
|
event.set('description', event.get('description').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
|
|
end
|
|
if event.get('synopsis')
|
|
event.set('synopsis', event.get('synopsis').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
|
|
end
|
|
if event.get('solution')
|
|
event.set('solution', event.get('solution').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
|
|
end
|
|
if event.get('see_also')
|
|
event.set('see_also', event.get('see_also').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
|
|
end
|
|
if event.get('plugin_output')
|
|
event.set('plugin_output', event.get('plugin_output').gsub(92.chr + 'n', 10.chr).gsub(92.chr + 'r', 13.chr))
|
|
end"
|
|
}
|
|
|
|
#If using filebeats as your source, you will need to replace the "path" field to "source"
|
|
grok {
|
|
match => { "path" => "(?<scan_name>[a-zA-Z0-9_.\-]+)_%{INT:scan_id}_%{INT:history_id}_%{INT:last_updated}.csv$" }
|
|
tag_on_failure => []
|
|
}
|
|
|
|
date {
|
|
match => [ "last_updated", "UNIX" ]
|
|
target => "@timestamp"
|
|
remove_field => ["last_updated"]
|
|
}
|
|
|
|
if [risk] == "None" {
|
|
mutate { add_field => { "risk_number" => 0 }}
|
|
}
|
|
if [risk] == "Low" {
|
|
mutate { add_field => { "risk_number" => 1 }}
|
|
}
|
|
if [risk] == "Medium" {
|
|
mutate { add_field => { "risk_number" => 2 }}
|
|
}
|
|
if [risk] == "High" {
|
|
mutate { add_field => { "risk_number" => 3 }}
|
|
}
|
|
if [risk] == "Critical" {
|
|
mutate { add_field => { "risk_number" => 4 }}
|
|
}
|
|
|
|
if ![cve] or [cve] == "nan" {
|
|
mutate { remove_field => [ "cve" ] }
|
|
}
|
|
if ![cvss] or [cvss] == "nan" {
|
|
mutate { remove_field => [ "cvss" ] }
|
|
}
|
|
if ![cvss_base] or [cvss_base] == "nan" {
|
|
mutate { remove_field => [ "cvss_base" ] }
|
|
}
|
|
if ![cvss_temporal] or [cvss_temporal] == "nan" {
|
|
mutate { remove_field => [ "cvss_temporal" ] }
|
|
}
|
|
if ![cvss_temporal_vector] or [cvss_temporal_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss_temporal_vector" ] }
|
|
}
|
|
if ![cvss_vector] or [cvss_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss_vector" ] }
|
|
}
|
|
if ![cvss3_base] or [cvss3_base] == "nan" {
|
|
mutate { remove_field => [ "cvss3_base" ] }
|
|
}
|
|
if ![cvss3_temporal] or [cvss3_temporal] == "nan" {
|
|
mutate { remove_field => [ "cvss3_temporal" ] }
|
|
}
|
|
if ![cvss3_temporal_vector] or [cvss3_temporal_vector] == "nan" {
|
|
mutate { remove_field => [ "cvss3_temporal_vector" ] }
|
|
}
|
|
if ![description] or [description] == "nan" {
|
|
mutate { remove_field => [ "description" ] }
|
|
}
|
|
if ![mac_address] or [mac_address] == "nan" {
|
|
mutate { remove_field => [ "mac_address" ] }
|
|
}
|
|
if ![netbios] or [netbios] == "nan" {
|
|
mutate { remove_field => [ "netbios" ] }
|
|
}
|
|
if ![operating_system] or [operating_system] == "nan" {
|
|
mutate { remove_field => [ "operating_system" ] }
|
|
}
|
|
if ![plugin_output] or [plugin_output] == "nan" {
|
|
mutate { remove_field => [ "plugin_output" ] }
|
|
}
|
|
if ![see_also] or [see_also] == "nan" {
|
|
mutate { remove_field => [ "see_also" ] }
|
|
}
|
|
if ![synopsis] or [synopsis] == "nan" {
|
|
mutate { remove_field => [ "synopsis" ] }
|
|
}
|
|
if ![system_type] or [system_type] == "nan" {
|
|
mutate { remove_field => [ "system_type" ] }
|
|
}
|
|
|
|
mutate {
|
|
remove_field => [ "message" ]
|
|
add_field => { "risk_score" => "%{cvss}" }
|
|
}
|
|
mutate {
|
|
convert => { "risk_score" => "float" }
|
|
}
|
|
if [risk_score] == 0 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "info" }
|
|
}
|
|
}
|
|
if [risk_score] > 0 and [risk_score] < 3 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "low" }
|
|
}
|
|
}
|
|
if [risk_score] >= 3 and [risk_score] < 6 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "medium" }
|
|
}
|
|
}
|
|
if [risk_score] >=6 and [risk_score] < 9 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "high" }
|
|
}
|
|
}
|
|
if [risk_score] >= 9 {
|
|
mutate {
|
|
add_field => { "risk_score_name" => "critical" }
|
|
}
|
|
}
|
|
|
|
# Compensating controls - adjust risk_score
|
|
# Adobe and Java are not allowed to run in browser unless whitelisted
|
|
# Therefore, lower score by dividing by 3 (score is subjective to risk)
|
|
|
|
#Modify and uncomment when ready to use
|
|
#if [risk_score] != 0 {
|
|
# if [plugin_name] =~ "Adobe" and [risk_score] > 6 or [plugin_name] =~ "Java" and [risk_score] > 6 {
|
|
# ruby {
|
|
# code => "event.set('risk_score', event.get('risk_score') / 3)"
|
|
# }
|
|
# mutate {
|
|
# add_field => { "compensating_control" => "Adobe and Flash removed from browsers unless whitelisted site." }
|
|
# }
|
|
# }
|
|
#}
|
|
|
|
# Add tags for reporting based on assets or criticality
|
|
|
|
if [asset] == "dc01" or [asset] == "dc02" or [asset] == "pki01" or [asset] == "192.168.0.54" or [asset] =~ "^192\.168\.0\." or [asset] =~ "^42.42.42." {
|
|
mutate {
|
|
add_tag => [ "critical_asset" ]
|
|
}
|
|
}
|
|
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\.1$" or [asset] =~ "^192.168\.[50]\.[0-9]{1,2}\.1$"{
|
|
# mutate {
|
|
# add_tag => [ "has_hipaa_data" ]
|
|
# }
|
|
#}
|
|
#if [asset] =~ "^192\.168\.[45][0-9][0-9]\." {
|
|
# mutate {
|
|
# add_tag => [ "hipaa_asset" ]
|
|
# }
|
|
#}
|
|
if [asset] =~ "^hr" {
|
|
mutate {
|
|
add_tag => [ "pci_asset" ]
|
|
}
|
|
}
|
|
#if [asset] =~ "^10\.0\.50\." {
|
|
# mutate {
|
|
# add_tag => [ "web_servers" ]
|
|
# }
|
|
#}
|
|
}
|
|
}
|
|
|
|
output {
|
|
if "nessus" in [tags] or "tenable" in [tags] or [type] in [ "nessus", "tenable" ] {
|
|
# stdout { codec => rubydebug }
|
|
elasticsearch {
|
|
hosts => [ "localhost:9200" ]
|
|
index => "logstash-vulnwhisperer-%{+YYYY.MM}"
|
|
}
|
|
}
|
|
}
|