Windows & Ubuntu vulnerability detection alert is not appearing on Wazuh dashboard.

[Mohammadullah Mohmand]

Hello everyone

I have successfully deployed  the wazuh OVF  appliance v4.3.7  on ESXI 7  and also run   agents v4.3.7 on 50 windows and Linux OS , now as we see everything  is working normal , but We are having a problem with the wazuh vulnerability detection module to detect vulnerabilities alerts  from Windows server 2019 and Ubuntu 20.4 ., I have setup and checked all ossec.conf file on both Wazuh manager and Client Agents but still the vulnerability detection alert is not appearing on Wazuh vulnerability dashboard from windows servers and ubuntu OS..

The configuration of the Ossec.conf file is as followings.

 Configuration in Wazuh Manager

_________________________________________

<vulnerability-detector>
    <enabled>yes</enabled>
    <interval>5m</interval>
    <ignore_time>6h</ignore_time>
    <run_on_start>yes</run_on_start>

    <!-- Ubuntu OS vulnerabilities -->
    <provider name="canonical">
      <enabled>yes</enabled>
      <os>trusty</os>
      <os>xenial</os>
      <os>bionic</os>
      <os>focal</os>
      <os>jammy</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Debian OS vulnerabilities -->
    <provider name="debian">
      <enabled>yes</enabled>
      <os>stretch</os>
      <os>buster</os>
      <os>bullseye</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- RedHat OS vulnerabilities -->
    <provider name="redhat">
      <enabled>yes</enabled>
      <os>5</os>
      <os>6</os>
      <os>7</os>
      <os>8</os>
      <os>9</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Amazon Linux OS vulnerabilities -->
    <provider name="alas">
      <enabled>no</enabled>
      <os>amazon-linux</os>
      <os>amazon-linux-2</os>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Arch OS vulnerabilities -->
    <provider name="arch">
      <enabled>no</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Windows OS vulnerabilities -->
    <provider name="msu">
      <enabled>yes</enabled>
      <update_interval>1h</update_interval>
    </provider>

    <!-- Aggregate vulnerabilities -->
    <provider name="nvd">
      <enabled>yes</enabled>
      <update_from_year>2010</update_from_year>
      <update_interval>1h</update_interval>
    </provider>

  </vulnerability-detector>

 Configuration in Wazuh Client Servers 

__________________________________________

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <hotfixes>yes</hotfixes>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

Hence, we need your support to solve the problem

Best regards

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com,

Thank you for using Wazuh!

Kindly hold while I revert with the information you need to solve this.

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com,

Vulnerability detector scans run on startup and at every interval set. Looking at the configuration of your manager, the interval has been set to 5 minutes while that of your agent is set to 1 hour.

<interval>1h</interval>

Kindly adjust the interval to your preferred choice (you can set it to be the same with your manager). Or restart the agents for the scan to occur.

Let me know how it goes.

Thanks.

On Saturday, September 17, 2022 at 10:59:28 AM UTC+1 mohammadul...@gmail.com wrote:

[Mohammadullah Mohmand]

Hello Ifeany 

hope you're doing well.

thanks for the update. now as per your kind advise i have changed the Wazuh Manager interval .. 

         from

<interval>5m</interval>

           To

<interval>1h</interval>

so, both wazuh manager and client agents' intervals are at the same time.

 also, one thing more  i need to know that currently our  Wazuh Manager is not connected to the internet, so will it work without internet or i need to allow internet access to Wazuh Manager?

Best regards

[Ifeanyi Onyia Odike]

Hi  mohammadul...@gmail.com,

Thank you for your response.

If your Wazuh server does not have a direct connection to the internet,  it is possible to keep the vulnerability feeds updated by fetching the database files from your local environment or network. To achieve this, specific vulnerability files must be downloaded and Wazuh configured to locate them.

Please follow this guide for more information about Offline Update.

Best Regards

[Mohammadullah Mohmand]

Hello sir  

thanks for the update, as per your advice i have follow the link    Offline Update - Vulnerability detection · Wazuh documentation , but windows update file ( vulnerability-detector/windows/msu-updates.json.gz )  is not downloading, please see the screen shots it's all black ...

[Mohammadullah Mohmand]

also, if i grant full access to Wazuh Manager, still i need to install the offline update? or all the required files will be automatically download by wazuh manger itself?

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

I will take a look at this and advice accordingly.

Regards

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Mohammadullah Mohmand <mohammadul...@gmail.com>
Sent: Sunday, September 18, 2022 6:07:17 AM
To: Wazuh mailing list <wa...@googlegroups.com>
Subject: Re: Windows & Ubuntu vulnerability detection alert is not appearing on Wazuh dashboard.

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/6a0c31f8-5b29-4e75-94e6-669caa8e1accn%40googlegroups.com.

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

You can try using a download manager/utility instead of your browser. For example using wget

wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz

The output is about 1.9M:

└─$ ls -lah
total 1.9M
1.9M Sep 14 11:41 msu-updates.json.gz

Regards

[Ifeanyi Onyia Odike]

if i grant full access to Wazuh Manager, still i need to install the offline update? or all the required files will be automatically download by wazuh manger itself?

Once you have downloaded the update as specified above. You have to point Wazuh to update retrieve the update from a local repository. 

Offline Update - MSU

Wazuh will automatically pull the update based on the set interval.

Regards,

[mohammadul...@gmail.com]

Hello Sir 

as iam trying to download this file in windows server but , its not working in powershell, see the attached  two screen shots the files run and also the folder which empty ... and also should i download the file in Windows or in Wazuh Manager and also after downloading the file should i create separate directory .. please provide the steps 

thanks in advance 

[mohammadul...@gmail.com]

Dear sir. 

please have a look to logs i have configured all the file as per your advice but still its seem that problem is exist with both Virus total and vulnerability

regards

[Ifeanyi Onyia Odike]

Hi,

Apologies for your experience so far. 
The command for Wget using PowerShell is: 

# wget https://feed.wazuh.com/vulnerability-detector/windows/msu-updates.json.gz -O msu-updates.json.gz

-O denotes the filename you want.

At this point, you should see the file in the specified folder.

and also should I download the file in Windows or in Wazuh Manager also after downloading the file should i create separate directory.

You can create the folder anywhere with the appropriate permissions. However, if the file cannot be transferred locally to the Wazuh server, you should ensure there is a local connection between the Wazuh server and your target repository. 
The file itself should be hosted on the repository using any hosting utility (for example python)

So for example your target repository is a ubuntu server with IP 10.1.1.2 and your Wazuh server is on a CentOS endpoint. You can host the file using python from the folder with the msu-update file:

#python3 -m http.server 8000
Read more about hosting files here

You can reach the file from the CentOs Wazuh server via the IP address of your target repository

<url>http://10.1.1.2:8000/msu-updates.json.gz</url>

If the file can be transferred to the Wazuh server then while hosting locally you can specify the URL in your configuration as localhost:127.0.0.1.

<url>http://127.0.0.1:8000/msu-updates.json.gz</url>

I hope this answers your question.

[Ifeanyi Onyia Odike]

please have a look to logs i have configured all the file as per your advice but still its seem that problem is exist with both Virus total and vulnerability

I observed that the logs show there is an issue with your connection. Please note that access to these repositories within your log requires internet access. If you do not have internet access. you can explore the Offline update for Vulnerability detection as I earlier mentioned.

I hope this resolves your question.

[mohammadul...@gmail.com]

hello ifeany

hope your doing well 

the mentioned problem is very urgent, and we need to check out all the virus and Vulnerabilities in our systems so your prompt reply would be much appreciated, i have tried alot to solve the problem with all the tips and steps you have shared also search on community but to luck to solve the problem, hence your advice and support is needed.

regards

On Monday, September 19, 2022 at 8:39:26 AM UTC+4:30 mohammadul...@gmail.com wrote:

Hello Sir ,

thank you so much for support.

As i have shared that multiple DMZ networks are connected with Wazuh Manager interfaces via Local network, so i cannot grant the internet access to Wazuh manager to download its Virus Total and Vulnerability update for Windows , ubuntu and other OS ... and also the at the same time have tried all the offline update for both ubuntu and Windows, but its not working. please see all the attached logs and screen shots, if i made i mistake kindly correct me that why its not working .

Kind Regards 

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

I will look through your logs and revert.

Remember that confidential information should always be redacted as this is a public forum.

Regards,

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

Here, I will show you step-by-step how to enable offline detection on your Wazuh manager.

In my test architecture, I have:

An Ubuntu Server (10.0.2.15) - I will download and host the windows update here using python.
A windows 10 endpoint (10.0.2.40 - I will enable Vulnerability detection here)

A Wazuh manager (OVA installation - Cento OS)

On my Ubuntu Server, within the folder with the msu-update file: (IP address of this server is 10.0.2.15)

# python3 -m http.server 8000 

Observe a request is made to search for updates every 5 minutes in the screenshot I attached

On my Wazuh Server -  Ossec.conf file: Under the vulnerability detector

    <!-- Windows OS vulnerabilities -->

    <provider name="msu">

      <enabled>yes</enabled>

      <url>http://10.0.2.15:8000/msu-updates.json.gz</url>

      <update_interval>5m</update_interval>

    </provider>

Pay attention to the IP address and interval. Note that it is the IP address of the ubuntu server
Note: Ensure to restart your Wazuh-Manager once these settings are applied/modified.

On my windows 10 endpoint:

<!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <hotfixes>yes</hotfixes>
    <ports all="no">yes</ports>
    <processes>yes</processes>

    <!-- Database synchronization settings -->
    <synchronization>
      <max_eps>10</max_eps>
    </synchronization>
  </wodle>

Note: Ensure to restart your Wazuh agent service once these settings are applied/modified.

The results should be similar to the screenshots I have attached.

I observed from your logs, that your Wazuh manager still attempts to retrieve vulnerability updates via public repositories which require an internet connection. Perhaps you have not applied these settings correctly on your Wazuh manager. 
Please follow my guide or the link I provided earlier (for offline update) as assistance.

I hope this answers your questions

[mohammadul...@gmail.com]

Hello Sir ,

i followed your tips and also the below link  Offline Update - Vulnerability detection · Wazuh documentation

but so sad to tell you that  no one worked for me i know your all tips are correct, but don,t know why here its not working ... 

the tips which i have followed are as below 

1-download the oflfline update from  the link Offline Update - Vulnerability detection · Wazuh documentation for both Canonical & MSU

2- create a folder by the name of local_path & local_repo on Wazuh Manager and then upload all the download offline file to it ,

3) change the wazuh manager ossec.conf as below for Canonical  & MSU

<provider name="canonical">
    <enabled>yes</enabled>

    <os url="http://local_repo/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
    <os url="http://local_repo/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
    <os url="http://local_repo/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
    <os url="http://local_repo/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
    <os url="http://local_repo/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
    <update_interval>1h</update_interval>
</provider>

<provider name="canonical">
    <enabled>yes</enabled>

    <os path="/local_path/com.ubuntu.jammy.cve.oval.xml.bz2">jammy</os>
    <os path="/local_path/com.ubuntu.focal.cve.oval.xml.bz2">focal</os>
    <os path="/local_path/com.ubuntu.bionic.cve.oval.xml.bz2">bionic</os>
    <os path="/local_path/com.ubuntu.xenial.cve.oval.xml.bz2">xenial</os>
    <os path="/local_path/com.ubuntu.trusty.cve.oval.xml.bz2">trusty</os>
    <update_interval>1h</update_interval>
</provider>

<provider name="msu">
    <enabled>yes</enabled>

    <url>http://local_repo/msu-updates.json.gz</url>
    <update_interval>1h</update_interval>
</provider>

<provider name="msu">
    <enabled>yes</enabled>

    <path>/local_path/msu-updates\.json\.gz$</path>
    <update_interval>1h</update_interval>
</provider>

4- save the setting and restart the wazuh manager ... 

but still see the vulnerability tab is empty for all windows and ubuntu agents, so if its possible to have a remote session to solve this problem or advise what to do next ... 

regards 

[Ifeanyi Onyia Odike]

Alright.

You can reach out to me personally via the Wazuh Slack channel and share the remote session details.

https://wazuh.com/community/join-us-on-slack/
@Ifeanyi Onyia Odike

I will be expecting.

[mohammadul...@gmail.com]

hello sir i have created an account on slack and invited you to the team 

regards 

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com,

I am yet to receive your invitation.
Please revert with your slack username for the Wazuh Slack community (hoping you were able to join the Wazuh slack community).

Expecting.

Regards, 

[mohammadul...@gmail.com]

Hello sir 

 i have already added you to the new created team and also send you  a message if your online plz reply to me back to start the session.

regards

[Ifeanyi Onyia Odike]

Done

[Mohammadullah Mohmand]

Hello  ifeanyi

hope you're doing well 

since last three days i was so busy with other tasks, so we couldn't make a time to have a remote session, however, my problem still exists, and offline update is not working for Vulnerabilities in ubuntu and windows hence we need your support to finalize this problem.

Best Regards 

[Ifeanyi Onyia Odike]

Hi, 

Apologise on your issues.

ifeanyi onyia odike is inviting you to a scheduled Zoom meeting.

Topic: ifeanyi onyia odike's Zoom Meeting

Time: Sep 28, 2022 11:00 AM West Central Africa

Join Zoom Meeting

https://us05web.zoom.us/j/84841505149?pwd=MGIzbXVxeTVZbzEvME91OTY5eDQ1dz09

Or you can respond with a more convenient time for you.

I will be available to solve all your concerns.

Regards,

Get Outlook for Android

---

From: wa...@googlegroups.com <wa...@googlegroups.com> on behalf of Mohammadullah Mohmand <mohammadul...@gmail.com>

Sent: Tuesday, September 27, 2022 5:58:18 AM

To: Wazuh mailing list <wa...@googlegroups.com>

Subject: Re: Windows & Ubuntu vulnerability detection alert is not appearing on Wazuh dashboard.

 

--
You received this message because you are subscribed to the Google Groups "Wazuh mailing list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to wazuh+un...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/9698de3d-ace8-4063-967a-bab7c311bc80n%40googlegroups.com.

[Mohammadullah Mohmand]

thank you, sir, joining to the meeting right away.

[Mohammadullah Mohmand]

Dear sir 

2:30 PM is almost 6:00pm here in my country and  offical time for job is over , so if you,re  agree i will send you another remote session tomorrow at 8 am in  West Central Africa time ?

regards 

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

8 am tomorrow is okay. But I am also available right now if you need me.
Please let me know as soon as you can.

Regards,

[Ifeanyi Onyia Odike]

Hi @mohammadul...@gmail.com

I have rescheduled the invite and sent it personally to your email. I have also set this on my calendar for 8 am WAT tomorrow.

In anticipation.

Regards,

[Mohammadullah Mohmand]

thank you so much Mr. Odike for the remote session, the windows and ubuntu offline update is now working perfectly and  Wazuh Manager can provide the offline update.

appreciate your support, have a wonderful day ahead.

regards