Yes I'm sorry, it's not matching "critical". I've isolated an event for testing and changed things up a bit to see what happens. I figured this would result in an Elasticsearch indexing error but instead got a....weird...error.
translate {
field => "[cvss]"
destination => "[cvss][rating]"
regex => true
exact => true
dictionary => {
"^0$|0\.0|^$" => "none"
"^0\.[1-9]|^[1-3](\.[0-9])?$" => "low"
"^[4-6](\.[0-9])?" => "medium"
"^[7-8](\.[0-9])?" => "high"
"^9(\.[0-9])?|^10" => "critical"
}
fallback => "none"
}
mutate {
rename => {
"cvss" => "[cvss][score]"
}
}
Error:
Something went wrong when attempting to translate from dictionary {:exception=>org.logstash.Accessors$InvalidFieldSetException: Could not set field 'rating' on object '0.1e2' to value 'low'.This is probably due to trying to set a field like [foo][bar] = someValuewhen [foo] is not either a map or a string, :field=>"[cvss]", :event=>#<LogStash::Event:0x43cd0a35>}
Original data being ingested:
{"Modified": "2021-02-12 01:00:00", "Published": "2021-02-10 19:15:00", "access": {"authentication": "NONE", "complexity": "LOW", "vector": "NETWORK"}, "assigner": "cve@mitre.org", "capec": [], "cvss": 10.0, "cvss-time": "2021-02-12 01:00:00", "cvss-vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "cwe": "CWE-787", "id": "CVE-2021-27171", "impact": {"availability": "COMPLETE", "confidentiality": "COMPLETE", "integrity": "COMPLETE"}, "last-modified": {"$date": 1613091600000}, "references": ["https://pierrekim.github.io/blog/2021-01-12-fiberhome-ont-0day-vulnerabilities.html#telnet-cli-privilege-escalation"], "summary": "An issue was discovered on FiberHome HG6245D devices through RP2613. It is possible to start a Linux telnetd as root on port 26/tcp by using the CLI interface commands of ddd and shell (or tshell).", "vulnerable_configuration": [{"id": "cpe:2.3:o:fiberhome:hg6245d_firmware:*:*:*:*:*:*:*:*", "title": "cpe:2.3:o:fiberhome:hg6245d_firmware:*:*:*:*:*:*:*:*"}, {"id": "cpe:2.3:h:fiberhome:hg6245d:-:*:*:*:*:*:*:*", "title": "cpe:2.3:h:fiberhome:hg6245d:-:*:*:*:*:*:*:*"}], "vulnerable_configuration_cpe_2_2": [], "vulnerable_product": ["cpe:2.3:o:fiberhome:hg6245d_firmware:*:*:*:*:*:*:*:*"]}
Actually, reading it again, that was the error I expected to get, just got caught by Logstash. What I thought was weird was the 0.1e2
....is it saying that is the field value it's seeing for cvss?