Create actionable data from your vulnerability scans

VulnWhisperer is a vulnerability data and report aggregator. VulnWhisperer will pull all the reports and create a file with a unique filename which is then fed into logstash. Logstash extracts data from the filename and tags all of the information inside the report (see logstash_vulnwhisp.conf file). Data is then shipped to elasticsearch to be indexed.

• Nessus (v6 & v7)
• Qualys Web Applications
• Qualys Vulnerability Management
• OpenVAS
• Tenable.io
• Detectify
• Nexpose
• Insight VM
• NMAP
• Burp Suite
• OWASP ZAP
• More to come

• ELK
• Jira
• Splunk

1. Follow the install requirements
2. Fill out the section you want to process in example.ini file
3. Modify the IP settings in the logstash files to accomodate your environment and import them to your logstash conf directory (default is /etc/logstash/conf.d/)
4. Import the kibana visualizations
5. Run Vulnwhisperer

Need assistance or just want to chat? Join our slack channel

• ElasticStack 5.x
• Python 2.7
• Vulnerability Scanner
• Optional: Message broker such as Kafka or RabbitMQ

First install requirement dependencies

sudo apt-get install  zlib1g-dev libxml2-dev libxslt1-dev 

Then install requirements

pip install -r /path/to/VulnWhisperer/requirements.txt
cd /path/to/VulnWhisperer
python setup.py install

Now you're ready to pull down scans. (see run section)

The following instructions should be utilized as a Sample Guide in the absence of an existing ELK Cluster/Node. This will cover a Debian example install guide of a stand-alone node of Elasticsearch & Kibana.

While Logstash is included in this install guide, it it recommended that a seperate host pulling the VulnWhisperer data is utilized with Logstash to ship the data to the Elasticsearch node.

Please note there is a docker-compose.yml available as well.

Debian: (https://www.elastic.co/guide/en/elasticsearch/reference/5.6/deb.html)

sudo apt-get install -y default-jre
wget -qO - https://artifacts.elastic.co/GPG-KEY-elasticsearch | sudo apt-key add -
sudo apt-get install apt-transport-https
echo "deb https://artifacts.elastic.co/packages/5.x/apt stable main" | sudo tee -a /etc/apt/sources.list.d/elastic-5.x.list
sudo apt-get update && sudo apt-get install elasticsearch kibana logstash
sudo /bin/systemctl daemon-reload
sudo /bin/systemctl enable elasticsearch.service
sudo /bin/systemctl enable kibana.service
sudo /bin/systemctl enable logstash.service

Elasticsearch & Kibana Sample Config Notes

Utilizing your favorite text editor:

• Grab your host IP and change the IP of your /etc/elasticsearch/elasticsearch.yml file. (This defaults to 'localhost')
• Validate Elasticsearch is set to run on port 9200 (Default)
• Grab your host IP and change the IP of your /etc/kibana/kibana.yml file. (This defaults to 'localhost') Validate that Kibana is pointing to the correct Elasticsearch IP (This was set in the previous step)
• Validate Kibana is set to run on port 5601 (Default)

Start elasticsearch and validate they are running/communicating with one another:

sudo service elasticsearch start
sudo service kibana start

OR

sudo systemctl start elasticsearch.service
sudo systemctl start kibana.service

Logstash Sample Config Notes

• Copy/Move the Logstash .conf files from /VulnWhisperer/logstash/ to /etc/logstash/conf.d/
• Validate the Logstash.conf files input contains the correct location of VulnWhisper Scans in the input.file.path directory identified below:

input {
  file {
    path => "/opt/vulnwhisperer/nessus/**/*"
    start_position => "beginning"
    tags => "nessus"
    type => "nessus"
  }
}

• Validate the Logstash.conf files output contains the correct Elasticsearch IP set during the previous step above: (This will default to localhost)

output {
  if "nessus" in [tags] or [type] == "nessus" {
    #stdout { codec => rubydebug }
    elasticsearch {
      hosts => [ "localhost:9200" ]
      index => "logstash-vulnwhisperer-%{+YYYY.MM}"
    }
  }

• Validate logstash has the correct file permissions to read the location of the VulnWhisperer Scans

Once configured run Logstash: (Running Logstash as a service will pick up all the files in /etc/logstash/conf.d/ If you would like to run only one logstash file please reference the command below):

Logstash as a service:

sudo service logstash start

OR

sudo systemctl start logstash.service

Single Logstash file:

sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash/ -f /etc/logstash/conf.d/1000_nessus_process_file.conf

There are a few configuration steps to setting up VulnWhisperer:

• Configure Ini file
• Setup Logstash File
• Import ElasticSearch Templates
• Import Kibana Dashboards

frameworks_example.ini file

To run, fill out the configuration file with your vulnerability scanner settings. Then you can execute from the command line.

vuln_whisperer -c configs/frameworks_example.ini -s nessus
or
vuln_whisperer -c configs/frameworks_example.ini -s qualys

If no section is specified (e.g. -s nessus), vulnwhisperer will check on the config file for the modules that have the property enabled=true and run them sequentially.

The docker-compose file has been tested and running on a Ubuntu 18.04 environment, with docker-ce v.18.06. The structure's purpose is to store locally the data from the scanners, letting vulnwhisperer update the records and Logstash feed them to ElasticSearch, so it requires a local storage folder.

• It will run out of the box if you create on the root directory of VulnWhisperer a folder named "data", which needs permissions for other users to read/write/execute in order to sync:

 mkdir data && chmod -R 666 data #data/database/report_tracker.db will need 777 to use with local vulnwhisperer

otherwise the users running inside the docker containers will not be able to work with it properly. If you don't apply chmod recursively, it will still work to sync the data, but only root use in localhost will have access to the created data (if you run local vulnwhisperer with the same data will break).

• docker/logstash.yml file will need other read/write permissions in order for logstash container to use the configuration file; youll need to run:

chmod 666 docker/logstash.yml

• You will need to rebuild the vulnwhisperer Dockerfile before launching the docker-compose, as by the way it is created right now it doesn't pull the last version of the VulnWhisperer code from Github, due to docker layering inner workings. To do this, the best way is to:

wget https://raw.githubusercontent.com/qmontal/docker_vulnwhisperer/master/Dockerfile 
docker build --no-cache -t hasecuritysolutions/docker_vulnwhisperer -f Dockerfile . --network=host

This will create the image hasecuritysolutions/docker_vulnwhisperer:latest from scratch with the latest updates. Will soon fix that with the next VulnWhisperer version.

• The vulnwhisperer container inside of docker-compose is using network_mode=host instead of the bridge mode by default; this is due to issues encountered when the container is trying to pull data from your scanners from a different VLAN than the one you currently are. The host network mode uses the DNS and interface from the host itself, fixing those issues, but it breaks the network isolation from the container (this is due to docker creating bridge interfaces to route the traffic, blocking both container's and host's network). If you change this to bridge, you might need to add your DNS to the config in order to resolve internal hostnames.
• ElasticSearch requires having the value vm.max_map_count with a minimum of 262144; otherwise, it will probably break at launch. Please check https://elk-docker.readthedocs.io/#prerequisites to solve that.
• If you want to change the "data" folder for storing the results, remember to change it from both the docker-compose.yml file and the logstash files that are in the root "docker/" folder.
• Hostnames do NOT allow _ (underscores) on it, if you change the hostname configuration from the docker-compose file and add underscores, config files from logstash will fail.
• If you are having issues with the connection between hosts, to troubleshoot them you can spawn a shell in said host doing the following:

docker ps #check the images from the containers
docker exec -i -t 665b4a1e17b6 /bin/bash #where 665b4a1e17b6 is the container image you want to troubleshoot

You can also make sure that all ELK components are working by doing "curl -i host:9200 (elastic)/ host:5601 (kibana) /host:9600 (logstash). WARNING! It is possible that logstash is not exposing to the external network the port but it does to its internal docker network "esnet".

• If Kibana is not showing the results, check that you are searching on the whole ES range, as by default it shows logs for the last 15 minutes (you can choose up to last 5 years)
• X-Pack has been disabled by default due to the noise, plus being a trial version. You can enable it modifying the docker-compose.yml and docker/logstash.conf files. Logstash.conf contains the default credentials for the X-Pack enabled ES.
• On Logstash container, "/usr/share/logstash/pipeline/" is the default path for pipelines and "/usr/share/logstash/config/" for logstash.yml file, instead of "/etc/logstash/conf.d/" and "/etc/logstash/".
• In order to make vulnwhisperer run periodically, add to crontab the following:

0 8 * * * /usr/bin/docker-compose run vulnwhisp-vulnwhisperer

To launch docker-compose, do:

docker-compose -f docker-compose.yml up

If you're running linux, be sure to setup a cronjob to remove old files that get stored in the database. Be sure to change .csv if you're using json.

Setup crontab -e with the following config (modify to your environment) - this will run vulnwhisperer each night at 0130:

00 1 * * * /usr/bin/find /opt/vulnwhisp/ -type f -name '*.csv' -ctime +3 -exec rm {} \;

30 1 * * * /usr/local/bin/vuln_whisperer -c /opt/vulnwhisp/configs/example.ini

For windows, you may need to type the full path of the binary in vulnWhisperer located in the bin directory.

• Austin Taylor (@HuntOperator)
• Justin Henderson (@smapper)

• @pemontto
• Quim Montal (@qmontal)
• Andrea Lusuardi (@uovobw)