This package enriches the suricata_corelight and notice Corelight logs with known CVE information. To collect the CVE information, it first uses a Python script reformat.py to read a CSV file containing IP addresses, hostnames, and CVE (Common Vulnerabilities and Exposures) identifiers, and outputs a reformatted version that consolidates entries by unique IP and hostname combinations, listing all associated CVEs for each combination.
For an input.csv as follows,
192.168.1.1,server1,cve-2021-1234
192.168.1.1,server1,cve-2021-2345
192.168.1.2,server2,cve-2021-3456
192.168.1.1,server1,cve-2021-4567
192.168.1.3,server3,cve-2021-5678
the output.csv would be
#fields ip hostname cve_list
192.168.1.1 server1 cve-2021-1234,cve-2021-2345,cve-2021-4567
192.168.1.2 server2 cve-2021-3456
192.168.1.3 server3 cve-2021-5678
Next, the package utilizes a Zeek script to annotate suricata_corelight and notice Corelight logs with the CVE information extracted in the previous step.