From b5c8ca05c8db1a0a092a499a4c1077ec2ca3e0c6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=C3=81lex=20Ruiz?= Date: Fri, 13 Sep 2024 12:48:14 +0200 Subject: [PATCH] Recycle ecs/vulnerability-detector --- ecs/alerts/event-generator/event_generator.py | 114 ------------------ ecs/generate.sh | 8 -- .../fields/template-settings-legacy.json | 23 ---- .../fields/template-settings.json | 25 ---- .../event-generator/event_generator.py | 0 .../fields/custom/vulnerability.yml | 22 +--- .../fields/custom/wazuh.yml | 8 +- .../fields/mapping-settings.json | 0 .../fields/subset.yml | 2 +- .../fields/template-settings-legacy.json | 0 .../fields/template-settings.json | 0 .../fields/custom/vulnerability.yml | 19 --- .../fields/mapping-settings.json | 4 - ecs/vulnerability-detector/fields/subset.yml | 19 --- 14 files changed, 3 insertions(+), 241 deletions(-) delete mode 100644 ecs/alerts/event-generator/event_generator.py delete mode 100644 ecs/states-inventory-vulnerabilities/fields/template-settings-legacy.json delete mode 100644 ecs/states-inventory-vulnerabilities/fields/template-settings.json rename ecs/{vulnerability-detector => states-vulnerabilities}/event-generator/event_generator.py (100%) mode change 100755 => 100644 rename ecs/{states-inventory-vulnerabilities => states-vulnerabilities}/fields/custom/vulnerability.yml (64%) rename ecs/{vulnerability-detector => states-vulnerabilities}/fields/custom/wazuh.yml (65%) rename ecs/{states-inventory-vulnerabilities => states-vulnerabilities}/fields/mapping-settings.json (100%) rename ecs/{states-inventory-vulnerabilities => states-vulnerabilities}/fields/subset.yml (88%) rename ecs/{vulnerability-detector => states-vulnerabilities}/fields/template-settings-legacy.json (100%) rename ecs/{vulnerability-detector => states-vulnerabilities}/fields/template-settings.json (100%) delete mode 100644 ecs/vulnerability-detector/fields/custom/vulnerability.yml delete mode 100644 ecs/vulnerability-detector/fields/mapping-settings.json delete mode 100644 ecs/vulnerability-detector/fields/subset.yml diff --git a/ecs/alerts/event-generator/event_generator.py b/ecs/alerts/event-generator/event_generator.py deleted file mode 100644 index f676f0176d444..0000000000000 --- a/ecs/alerts/event-generator/event_generator.py +++ /dev/null @@ -1,114 +0,0 @@ -#!/bin/python3 - -import datetime -import random -import json -import requests -import warnings -import logging - -# Constants and Configuration -LOG_FILE = 'generate_data.log' -GENERATED_DATA_FILE = 'generatedData.json' -DATE_FORMAT = "%Y-%m-%dT%H:%M:%S.%fZ" - -# Configure logging -logging.basicConfig(filename=LOG_FILE, level=logging.INFO) - -# Suppress warnings -warnings.filterwarnings("ignore") - - -def generate_random_date(): - start_date = datetime.datetime.now() - end_date = start_date - datetime.timedelta(days=10) - random_date = start_date + (end_date - start_date) * random.random() - return random_date.strftime(DATE_FORMAT) - - -def generate_random_agent(): - agent = { - 'id': f'agent{random.randint(0, 99)}', - 'name': f'Agent{random.randint(0, 99)}', - 'type': random.choice(['filebeat', 'windows', 'linux', 'macos']), - 'version': f'v{random.randint(0, 9)}-stable', - 'is_connected': random.choice([True, False]), - 'last_login': generate_random_date(), - 'groups': [f'group{random.randint(0, 99)}', f'group{random.randint(0, 99)}'], - 'key': f'key{random.randint(0, 999)}' - } - return agent - - -def generate_random_host(): - family = random.choice(['debian', 'ubuntu', 'macos', 'ios', 'android', 'RHEL']) - version = f'{random.randint(0, 99)}.{random.randint(0, 99)}' - host = { - 'ip': f'{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}.{random.randint(1, 255)}', - 'os': { - 'full': f'{family} {version}', - } - } - return host - - -def generate_random_data(number): - data = [] - for _ in range(number): - event_data = { - 'agent': generate_random_agent(), - 'host': generate_random_host(), - } - data.append(event_data) - return data - - -def inject_events(ip, port, index, username, password, data): - url = f'https://{ip}:{port}/{index}/_doc' - session = requests.Session() - session.auth = (username, password) - session.verify = False - headers = {'Content-Type': 'application/json'} - - try: - for event_data in data: - response = session.post(url, json=event_data, headers=headers) - if response.status_code != 201: - logging.error(f'Error: {response.status_code}') - logging.error(response.text) - break - logging.info('Data injection completed successfully.') - except Exception as e: - logging.error(f'Error: {str(e)}') - - -def main(): - try: - number = int(input("How many events do you want to generate? ")) - except ValueError: - logging.error("Invalid input. Please enter a valid number.") - return - - logging.info(f"Generating {number} events...") - data = generate_random_data(number) - - with open(GENERATED_DATA_FILE, 'a') as outfile: - for event_data in data: - json.dump(event_data, outfile) - outfile.write('\n') - - logging.info('Data generation completed.') - - inject = input( - "Do you want to inject the generated data into your indexer? (y/n) ").strip().lower() - if inject == 'y': - ip = input("Enter the IP of your Indexer: ") - port = input("Enter the port of your Indexer: ") - index = input("Enter the index name: ") - username = input("Username: ") - password = input("Password: ") - inject_events(ip, port, index, username, password, data) - - -if __name__ == "__main__": - main() diff --git a/ecs/generate.sh b/ecs/generate.sh index 1409404d4e6f5..7b860256f0936 100755 --- a/ecs/generate.sh +++ b/ecs/generate.sh @@ -57,14 +57,6 @@ generate_mappings() { echo "Removing scaling_factor lines" find "$OUT_DIR" -type f -exec sed -i '/scaling_factor/d' {} \; - # Replace "constant_keyword" type (not supported by OpenSearch) with "keyword" - echo "Replacing \"constant_keyword\" type with \"keyword\"" - find "$OUT_DIR" -type f -exec sed -i 's/constant_keyword/keyword/g' {} \; - - # Replace "flattened" type (not supported by OpenSearch) with "flat_object" - echo "Replacing \"flattened\" type with \"flat_object\"" - find "$OUT_DIR" -type f -exec sed -i 's/flattened/flat_object/g' {} \; - local IN_FILE="$OUT_DIR/generated/elasticsearch/legacy/template.json" local OUT_FILE="$OUT_DIR/generated/elasticsearch/legacy/template-tmp.json" diff --git a/ecs/states-inventory-vulnerabilities/fields/template-settings-legacy.json b/ecs/states-inventory-vulnerabilities/fields/template-settings-legacy.json deleted file mode 100644 index 644040fa73d8e..0000000000000 --- a/ecs/states-inventory-vulnerabilities/fields/template-settings-legacy.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "order": 1, - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.group", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } -} diff --git a/ecs/states-inventory-vulnerabilities/fields/template-settings.json b/ecs/states-inventory-vulnerabilities/fields/template-settings.json deleted file mode 100644 index 66db0f6ad7377..0000000000000 --- a/ecs/states-inventory-vulnerabilities/fields/template-settings.json +++ /dev/null @@ -1,25 +0,0 @@ -{ - "index_patterns": ["wazuh-states-vulnerabilities*"], - "priority": 1, - "template": { - "settings": { - "index": { - "number_of_shards": "1", - "number_of_replicas": "0", - "refresh_interval": "5s", - "query.default_field": [ - "agent.id", - "agent.group", - "host.os.full", - "host.os.version", - "package.name", - "package.version", - "vulnerability.id", - "vulnerability.description", - "vulnerability.severity", - "wazuh.cluster.name" - ] - } - } - } -} diff --git a/ecs/vulnerability-detector/event-generator/event_generator.py b/ecs/states-vulnerabilities/event-generator/event_generator.py old mode 100755 new mode 100644 similarity index 100% rename from ecs/vulnerability-detector/event-generator/event_generator.py rename to ecs/states-vulnerabilities/event-generator/event_generator.py diff --git a/ecs/states-inventory-vulnerabilities/fields/custom/vulnerability.yml b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml similarity index 64% rename from ecs/states-inventory-vulnerabilities/fields/custom/vulnerability.yml rename to ecs/states-vulnerabilities/fields/custom/vulnerability.yml index 9c255a5cef183..61e41bc3827a1 100644 --- a/ecs/states-inventory-vulnerabilities/fields/custom/vulnerability.yml +++ b/ecs/states-vulnerabilities/fields/custom/vulnerability.yml @@ -27,24 +27,4 @@ type: keyword level: custom description: > - The origin of the decision of the scanner (AKA feed used to detect the vulnerability). -- name: wazuh - title: Wazuh - description: > - Wazuh Inc. custom fields - fields: - - name: cluster.name - type: keyword - level: custom - description: > - Wazuh cluster name. - - name: cluster.node - type: keyword - level: custom - description: > - Wazuh cluster node name. - - name: schema.version - type: keyword - level: custom - description: > - Wazuh schema version. + The origin of the decision of the scanner (AKA feed used to detect the vulnerability). \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/custom/wazuh.yml b/ecs/states-vulnerabilities/fields/custom/wazuh.yml similarity index 65% rename from ecs/vulnerability-detector/fields/custom/wazuh.yml rename to ecs/states-vulnerabilities/fields/custom/wazuh.yml index 235a746758812..5cc684959c04b 100644 --- a/ecs/vulnerability-detector/fields/custom/wazuh.yml +++ b/ecs/states-vulnerabilities/fields/custom/wazuh.yml @@ -1,4 +1,3 @@ ---- - name: wazuh title: Wazuh description: > @@ -14,13 +13,8 @@ level: custom description: > Wazuh cluster node name. - - name: manager.name - type: keyword - level: custom - description: > - Wazuh manager name. Used by dashboards to filter results on single node deployments. - name: schema.version type: keyword level: custom description: > - Wazuh schema version. + Wazuh schema version. \ No newline at end of file diff --git a/ecs/states-inventory-vulnerabilities/fields/mapping-settings.json b/ecs/states-vulnerabilities/fields/mapping-settings.json similarity index 100% rename from ecs/states-inventory-vulnerabilities/fields/mapping-settings.json rename to ecs/states-vulnerabilities/fields/mapping-settings.json diff --git a/ecs/states-inventory-vulnerabilities/fields/subset.yml b/ecs/states-vulnerabilities/fields/subset.yml similarity index 88% rename from ecs/states-inventory-vulnerabilities/fields/subset.yml rename to ecs/states-vulnerabilities/fields/subset.yml index 07a0275742440..9bde745b8f715 100644 --- a/ecs/states-inventory-vulnerabilities/fields/subset.yml +++ b/ecs/states-vulnerabilities/fields/subset.yml @@ -1,5 +1,5 @@ --- -name: wazuh-states-inventory-vulnerability +name: wazuh-inventory-vulnerabilities fields: base: fields: diff --git a/ecs/vulnerability-detector/fields/template-settings-legacy.json b/ecs/states-vulnerabilities/fields/template-settings-legacy.json similarity index 100% rename from ecs/vulnerability-detector/fields/template-settings-legacy.json rename to ecs/states-vulnerabilities/fields/template-settings-legacy.json diff --git a/ecs/vulnerability-detector/fields/template-settings.json b/ecs/states-vulnerabilities/fields/template-settings.json similarity index 100% rename from ecs/vulnerability-detector/fields/template-settings.json rename to ecs/states-vulnerabilities/fields/template-settings.json diff --git a/ecs/vulnerability-detector/fields/custom/vulnerability.yml b/ecs/vulnerability-detector/fields/custom/vulnerability.yml deleted file mode 100644 index 51be3282cc161..0000000000000 --- a/ecs/vulnerability-detector/fields/custom/vulnerability.yml +++ /dev/null @@ -1,19 +0,0 @@ -- name: vulnerability - title: Vulnerability - group: 2 - short: Fields to describe the vulnerability relevant to an event. - description: > - The vulnerability fields describe information about a vulnerability that is - relevant to an event. - type: group - fields: - - name: detected_at - type: date - level: custom - description: > - Vulnerability's detection date. - - name: published_at - type: date - level: custom - description: > - Vulnerability's publication date. \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/mapping-settings.json b/ecs/vulnerability-detector/fields/mapping-settings.json deleted file mode 100644 index 0ad2b48fcc1be..0000000000000 --- a/ecs/vulnerability-detector/fields/mapping-settings.json +++ /dev/null @@ -1,4 +0,0 @@ -{ - "dynamic": "strict", - "date_detection": false -} \ No newline at end of file diff --git a/ecs/vulnerability-detector/fields/subset.yml b/ecs/vulnerability-detector/fields/subset.yml deleted file mode 100644 index 951f7e492d1c2..0000000000000 --- a/ecs/vulnerability-detector/fields/subset.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -name: vulnerability_detector -fields: - base: - fields: - tags: [] - message: "" - agent: - fields: "*" - package: - fields: "*" - host: - fields: - os: - fields: "*" - vulnerability: - fields: "*" - wazuh: - fields: "*"