Wazuh Windows Vulnerability

[Suat Toksöz]

Hi,

I could not get the wazuh vulnerability work on the windows. here is the conf files:

Windows Agent : ossec.conf

<wodle name="syscollector">
  <disabled>no</disabled>
  <interval>1h</interval>
  <scan_on_start>yes</scan_on_start>
  <hardware>yes</hardware>
  <os>yes</os>
  <network>yes</network>
  <packages>yes</packages>
  <ports all="no">yes</ports>
  <processes>yes</processes>
  <hotfixes>yes</hotfixes>
</wodle>

Wazuh Manager : ossec.conf

 <provider name="nvd">
    <enabled>yes</enabled>
    <update_from_year>2010</update_from_year>
    <update_interval>1h</update_interval>
  </provider>
</vulnerability-detector>

--

Best regards,

Suat Toksoz

[Juan Cabrera]

Hello Suat Toksöz,

The configuration of `vulnerability-detector` should be as follows:

ossec.log:

 <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability detector>

Remember that the ignore_time tag is 6 hours by default, and you won’t see the alerts again until this time has passed. To check that it works properly, decrease its time.

On the other hand, the download of the windows NVD might take too long, be sure to see the following message in the ossec.logfile:

2020/03/19 11:34:43 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the National Vulnerability Database feed finished successfully.

​

[Suat Toksöz]

Is this conf for manager - ossec.conf?

Thanks

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/d48783af-c5bc-4521-95bf-793a9eec694d%40googlegroups.com.

[Juan Cabrera]

Yes, the configuration I provided is for the manager: /var/ossec/etc/ossec.conf

​

[Suat Toksöz]

Hi Juan,

I could not get the work the windows vulnerability scan, here is the conf files and logs. Where I am getting it wrong?

Agent ossec.con file:

  <!-- System inventory -->

  <wodle name="syscollector">
    <disabled>no</disabled>

    <interval>10m</interval>

    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
    <hotfixes>yes</hotfixes>
  </wodle>

Manager ossec.conf file

<vulnerability-detector>
   <enabled>yes</enabled>
   <interval>5m</interval>

   <run_on_start>yes</run_on_start>
   <provider name="debian">
     <enabled>yes</enabled>
     <os>buster</os>
     <update_interval>1h</update_interval>
  </provider>

   <provider name="nvd">
    <enabled>yes</enabled>
    <update_from_year>2010</update_from_year>
    <update_interval>1h</update_interval>
  </provider>

  </vulnerability-detector>

....... /var/ossec/logs/ossec.log | grep National
2020/03/20 00:52:20 wazuh-modulesd:vulnerability-detector: INFO: (5461): Starting National Vulnerability Database database update.
2020/03/20 00:52:27 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the National Vulnerability Database feed finished successfully.

Result on the kibana dashboard:

There are no results for selected time range. Try another one.

On Thu, Mar 19, 2020 at 7:05 PM Juan Cabrera <juan.c...@wazuh.com> wrote:

Yes, the configuration I provided is for the manager: /var/ossec/etc/ossec.conf

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/218bcf43-903f-4418-9649-6ac1a523416a%40googlegroups.com.

[Juan Cabrera]

Hi Suat,

Your settings are correct.

The Vulnerability detector only warns if your system is vulnerable. Could your system be up to date and not vulnerable?

To check that you are scanning correctly, follow the next steps:

1. Activate the debug mode. Edit the file /var/ossec/etc/internal_options.conf and change the line:

   wazuh_modules.debug=0
   

   by

   wazuh_modules.debug=2
   

2. Restart the manager: /var/ossec/bin/ossec-control restart

3. Check the packages on your system in the ossec.log file:

   tail -f /var/ossec/logs/ossec.log
   2019/09/25 14:44:57 wazuh-modulesd:vulnerability-detector [5541] wm_vuln_detector_nvd.c:2624 at wm_vuldet_check_hotfix(): DEBUG: (5533): Agent 1 is vulnerable to CVE-2017-0076 because does not have the '4012212' patch installed.
   

4. Checking if the agent is or not vulnerable with the packages it has installed.

​

[Suat Toksöz]

Hi Juan , here is the log file. I am geteting an error "No package inventory found for agent" 

Thanks

root@wazuhtestmanager:~# cat /var/ossec/logs/ossec.log | grep -E "agent 9" --color
2020/03/23 14:09:23 wazuh-modulesd:database[12471] wm_database.c:373 at wm_sync_agents(): DEBUG: Synchronizing agent 9 'WINWAZUHTEST09'.
2020/03/23 14:09:33 wazuh-modulesd:vulnerability-detector[12471] wm_vuln_detector.c:1060 at wm_vuldet_check_agent_vulnerabilities(): DEBUG: (5486): Starting vulnerability assessment for agent 9.
2020/03/23 14:09:33 wazuh-modulesd:vulnerability-detector[12471] wm_vuln_detector.c:2811 at wm_vuldet_get_software_info(): DEBUG: (5462): Getting agent 9 software.
2020/03/23 14:09:33 wazuh-modulesd:vulnerability-detector[12471] wm_vuln_detector.c:2829 at wm_vuldet_get_software_info(): DEBUG: (5574): A partial scan will be run on agent 9.
2020/03/23 14:09:33 wazuh-modulesd:vulnerability-detector[12471] wm_vuln_detector.c:2838 at wm_vuldet_get_software_info(): DEBUG: (5434): No package inventory found for agent 9, so their vulnerabilities will not be checked.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/160532b9-ec68-443e-805a-d5779eccaa0b%40googlegroups.com.

[Juan Cabrera]

Hi Suat.

This error happens when the agent has the tag <packages>no</packages> in the syscollector block.

Check the configuration of the agent is correct and remember to restart it to apply it.

​

[Suat Toksöz]

Hi Juan,

I checked the agent conf, but it is not set to be "no" , here is the ossec.conf from agent:

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>10m</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
    <hotfixes>yes</hotfixes>
  </wodle>

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ec9c181f-be88-4b47-b207-f98555609fe3%40googlegroups.com.

[Juan Cabrera]

Hello Suat,

I’m going to check your case more in depth.

Could you tell me what version of Wazuh you use as a manager and agent?

One question: Do you have any configuration in the agent.conffile ?

Best regards

​

[Suat Toksöz]

Hi Juan,

agent : WINDOWS Server 2012 R2 - v3.11.1

manager : v3.11.1

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/efea401b-9103-4ebc-85e2-4db74e86cd15%40googlegroups.com.

[Juan Cabrera]

Hi Suat,

I just tried the same version and it works fine.

Let’s make some checks

1. Do you have any configuration in the agent.conf file ?

1. Run the following query:
   sqlite3 /var/ossec/queue/db/006.db "Select * from sys_programs"
   Is the data returned correct ?
2. Execute the following query:
   sqlite3 /var/ossec/queue/db/006.db "Select * from sys_hotfixes"
   Is the data returned correct ?

One of the cases for this not to work is that, in the manager’s /var/ossec/etc/shared/default/agent.conf file, you have the option <hotfixes>no</hotfixes>

​

[Suat Toksöz]

Hi Juan here is the results:

1-<agent_config></agent_config>

2-Error: no such table: sys_programs

3-Error: no such table: sys_hotfixes

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/17130cca-2faa-43da-a52f-5849373f1727%40googlegroups.com.

[Juan Cabrera]

Sorry Suat, the query:

sqlite3 /var/ossec/queue/db/006.db "Select * from sys_programs"

and

sqlite3 /var/ossec/queue/db/006.db "Select * from sys_hotfixes"

You must change the 006.db for the windows agent ID you have.

​

[Suat Toksöz]

Hi Juan, thanks

I run the queries , nothing comes up-

~# sqlite3 /var/ossec/queue/db/000.db "Select * from sys_hotfixes"
~# sqlite3 /var/ossec/queue/db/000.db "Select * from sys_progra

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ae62fdee-7671-402e-a0ff-36deff3d7cbc%40googlegroups.com.

[Juan Cabrera]

Hello Suat,

You’re not looking at the Windows agent database. Agent 000 is the manager.

If you don’t know which is the windows agent, execute the following command in the manager:

/var/ossec/bin/agent_control -l

That it returns a list of the agents’ names and their IDs. Search in the list the windows agent and try again with its corresponding ID.

A greeting

​

[Suat Toksöz]

Hi Juan,

nothing comes up-

~# sqlite3 /var/ossec/queue/db/010.db "Select * from sys_hotfixes"
~# sqlite3 /var/ossec/queue/db/010.db "Select * from sys_progra

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/eed8d433-eaf7-498e-b1fc-6ff020070f6a%40googlegroups.com.

[Juan Cabrera]

Does the database exist in the directory /var/ossec/queu/db ?

What data does it contain?

​

[Suat Toksöz]

Yes,

I have the file on here:

var/ossec/queue/db/010.db

On Fri, Mar 27, 2020 at 12:56 PM Juan Cabrera <juan.c...@wazuh.com> wrote:

Does the database exist in the directory /var/ossec/queu/db ?

What data does it contain?

​

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e9a131df-b97d-49f7-80d1-8f2cfd941d64%40googlegroups.com.

[Suat Toksöz]

In addition, I am getting some errors on wazuh-db

2020/03/27 13:51:03 wazuh-db ERROR:  sqlite3_step(): database is locked
2020/03/27 13:51:03 wazuh-db ERROR:  Unable to update 'sca_check' table for agent '011'

[Juan Cabrera]

 To check the data in the database, the manager must be stopped.

[Suat Toksöz]

Hi Juan,

Here is the ls out put of the location.

/var/ossec/queu/db

.......................

-rw-r-----  1 ossec ossec    2531328 Mar 27 19:27 010.db
-rw-r-----  1 ossec ossec    2531328 Mar 27 19:27 001.db
-rw-r-----  1 ossec ossec    32768 Mar 30 08:42 001.db-shm
-rw-r-----  1 ossec ossec    4152 Mar 30 08:42 001.db-wal

...................

On Fri, Mar 27, 2020 at 6:05 PM Juan Cabrera <juan.c...@wazuh.com> wrote:

 To check the data in the database, the manager must be stopped.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3de4cc92-1432-4513-b553-ee6b5b933648%40googlegroups.com.

[Juan Cabrera]

Hello Suat:

To check the content of the database, follow the steps below:

1. Use the root user:

   sudo su
   

2. Turn off the manager:

   /var/ossec/bin/ossec-control stop
   

3. Execute the following commands and save the output:

   sqlite3 /var/ossec/queue/db/010.db "Select * from sys_programs" >> outputPrograms.txt
   sqlite3 /var/ossec/queue/db/010.db "Select * from sys_hotfixes" >> outputHotfixes.txt
   

4. Start the manager again:

   /var/ossec/bin/ossec-control start
   

​

[Suat Toksöz]

Hi Juan,

both selects comes out with nothing.

-rw-r--r--  1 root root         0 Mar 30 11:36 outputHotfixes.txt
-rw-r--r--  1 root root         0 Mar 30 11:35 outputPrograms.txt

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/30606ab1-a5fa-42f3-8fe7-f168496dbbba%40googlegroups.com.

[Juan Cabrera]

Hello Suat,

I can't reproduce your mistake.

Let's see if the syscollector is failing at any point. For this, change `analysisd.debug=0` to `analysisd.debug=2` in the `internal_options.conf` file of your agent.

Then, check the output of `ossec.log` file for any syscollector error.

Regards

[Suat Toksöz]

Hi Juan,

After changing the internatol_options.conf analysisd.debug=2 here 's the ERROR from log

2020/04/01 13:51:56 ossec-agent: ERROR: Could not EvtSubscribe() for (EventLog) which returned (15007)

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/55bc0ca7-2107-4c7f-8cee-c819b3a11d49%40googlegroups.com.

[Juan Cabrera]

Sorry, the debug mode in the previous message I wrote agent, and it’s manager.

In which file ossec.log did you get that error ? in the agent or in the manager ?

​

[Suat Toksöz]

Hi Juan, I changed the agent's internal_options.conf file, also the ERROR is from agent's ossec log

On Wed, Apr 1, 2020 at 3:31 PM Juan Cabrera <juan.c...@wazuh.com> wrote:

Sorry, the debug mode in the previous message I wrote agent, and it’s manager.

In which file ossec.log did you get that error ? in the agent or in the manager ?

​

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/4bb64014-c320-4dde-a5ce-380de54f9595%40googlegroups.com.

[Juan Cabrera]

Hi,

Put the debug to 2 in the manager (internal_options.conf) and check if there is an error with syscollector.This module is in charge of collecting the agent information to save it in the database (that right now you have empty).

​

[Suat Toksöz]

Hi Juan,

I set to debug 2 on manager server. Here is the log from manager ossec.log file:

tail -f /var/ossec/logs/ossec.log | grep "syscollector"
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:1705 at sc_send_db(): ERROR: at sc_send_db(): received: 'err Cannot save Port information.'
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:99 at DecodeSyscollector(): DEBUG: Unable to send ports information to Wazuh DB.
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:1705 at sc_send_db(): ERROR: at sc_send_db(): received: 'err Cannot save Port information.'
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:99 at DecodeSyscollector(): DEBUG: Unable to send ports information to Wazuh DB.
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:1705 at sc_send_db(): ERROR: at sc_send_db(): received: 'err Cannot save Process information.'
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:141 at DecodeSyscollector(): DEBUG: Unable to send processes information to Wazuh DB.
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:1705 at sc_send_db(): ERROR: at sc_send_db(): received: 'err Cannot save Process information.'
2020/04/02 08:46:59 ossec-analysisd[10109] syscollector.c:141 at DecodeSyscollector(): DEBUG: Unable to send processes information to Wazuh DB

thanks

On Wed, Apr 1, 2020 at 4:32 PM Juan Cabrera <juan.c...@wazuh.com> wrote:

Hi,

Put the debug to 2 in the manager (internal_options.conf) and check if there is an error with syscollector.This module is in charge of collecting the agent information to save it in the database (that right now you have empty).

​

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/619bb3b1-6787-41f1-8673-2dfa76501205%40googlegroups.com.

[Juan Cabrera]

You seem to have a problem with communication between the agent and the manager.

That agent is connected to the manager? Run the following query on the manager:

/var/ossec/bin/agent_control -l

And check for the ID that your agent is listed as Active

​

[Suat Toksöz]

Hi Juan,

The windows machine's agent looks like active, thanks.

ID: 010, Name: TESTWINMACH, IP: any, Active

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/e6b479ab-64a9-402e-ba22-129fd3284c37%40googlegroups.com.

[Lokman Hakim]

Dear all,

The vulnerability modules active & working but I face some problem when I saw log then one error show  (5426): CVE database could not be updated. 

I wait a long time but problem still has. need your help. I have attached the error log.

Thanks

On Thursday, March 19, 2020 at 5:23:59 PM UTC+6, Juan Cabrera wrote:

Hello Suat Toksöz,

The configuration of `vulnerability-detector` should be as follows:

ossec.log:

 <vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>
  </vulnerability detector>

Remember that the ignore_time tag is 6 hours by default, and you won’t see the alerts again until this time has passed. To check that it works properly, decrease its time.

On the other hand, the download of the windows NVD might take too long, be sure to see the following message in the ossec.logfile:

2020/03/19 11:34:43 wazuh-modulesd:vulnerability-detector: INFO: (5494): The update of the National Vulnerability Database feed finished successfully.

​

[Juan Cabrera]

 Hi Lokman,

Canonical has just modified the downloading link. Now, we have to download the compressed OVAL in bz2.You can read more about it here.We are working on it to release a new Wazuh version as soon as possible.Meanwhile, you can download the OVAL manually and modify the Vuln. Detector configuration to use a local path instead download it.You can follow our documentation to configure it.

On the other hand, In order to keep the mailing-list clean, please create a thread per issue.

Greetings

[Suat Toksöz]

Hi Juan,

My issues still open, I can not get windows vulnerability to work ? Thanks for your help

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/c78cfb80-5f16-4bb9-8938-74700efd26e5%40googlegroups.com.

[Juan Cabrera]

Hello Suat,

I’m still working on his case. There’s a similar issue to yours:
https://github.com/wazuh/wazuh/issues/4353

We’re going to do some checking:

1. Delete the agent’s database:

   rm /var/ossec/que/db/ID.db
   

   (where ID is your Windows agent ID number).
2. Restart wazuh

   /var/ossec/bin/ossec-control restart
   

3. Check the log for the error:

1. tail -f /var/ossec/logs/ossec.log | grep "syscollector"
   

1. 4.If there is no error, check if the DB contains data:

   sqlite3 /var/ossec/queue/db/ID.db "Select * from sys_programs"
   

   (where ID is the ID number of your Windows agent)
2. If the DB has data, check that the vulnerability detector is working correctly.

​

[Suat Toksöz]

Hi Juan, Thanks for the help.

I did all the comment but agent's db returns nothing.

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/add0c6a3-812c-4d91-9d4e-e525fdbbddd8%40googlegroups.com.

[Suat Toksöz]

Hi, all I am still waiting on this issue. Any help would be appreciated. Thanks  

[Juan Cabrera]

We're trying to reproduce his mistake without success.

Which version of Wazuh are you using for the agent?

Remember that the agent version must be equal or less than the manager version for it to work properly.

Best regards,
Juan

[Suat Toksöz]

Ji Juan , my wazuh server version is Wazuh v3.11.1, also the agent is same version. thanks

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/66105a2b-3ef2-4160-98b7-3f81e5bd2f1d%40googlegroups.com.

[Juan Cabrera]

Hello Suat,

After several days, I have not been able to reproduce in any way the error you mention.

That's why I recommend you to update the manager to the latest version, since in every new version released, we correct several fixes that can affect the operation of the product.

You can follow the next update guide:
https://documentation.wazuh.com/3.12/upgrade-guide/upgrading/latest_wazuh3_minor.html#upgrading-latest-minor

Greetings:
Juan Cabrera

[Suat Toksöz]

Thanks anyway, I will try to upgrade my wazuh

--

You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/f5bc0293-0a35-4d49-80bd-e4423d9d8f4e%40googlegroups.com.