Can I exclude Vulnerabilities found on Wazuh?

[Luke Lee]

Hi I have this issue found and detected by wazuh under Vulnerabilities. We have identified it was caused by the previous older version of OS / Kernel stored as a rollback backup on the server, but it was flagged. Can we use the rules set to exclude this vulnerability? 

[cris...@wazuh.com]

Hi Luke,

Yes, you can manually exclude vulnerability alerts (and any other) using CDB lists. I will explain how:

1) First, create a list to include the vulnerabilities you do not want to report. It should be saved in /var/ossec/etc/lists/.

touch /var/ossec/etc/lists/vuln-black-list
chown ossec:ossec /var/ossec/etc/lists/vuln-black-list

2) Add the vulnerabilities to that file following the format CVE:Description.

CVE-2999-111:Reason

3) Add the list to the ossec.conf file using the <list> option.
 

<ruleset>
    <!-- Default ruleset -->
    <decoder_dir>ruleset/decoders</decoder_dir>
    <rule_dir>ruleset/rules</rule_dir>
    <rule_exclude>0215-policy_rules.xml</rule_exclude>
    <list>etc/lists/audit-keys</list>
    <list>etc/lists/amazon/aws-eventnames</list>
    <list>etc/lists/security-eventchannel</list>
    <list>etc/lists/vuln-black-list</list>
    <!-- User-defined ruleset -->
    <decoder_dir>etc/decoders</decoder_dir>
    <rule_dir>etc/rules</rule_dir>
  </ruleset>

4) Compile the CDB list.

/var/ossec/bin/ossec-makelists

5) Create a rule that uses this list and ignore the vulnerability using level 0.

<rule id="99999" level="0">
    <if_sid>Rule to ignore</if_sid>
    <list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
    <group>vulnerability-detector</group>
    <description>Ignore vulnerability</description>
</rule>

6) Restart the manager.

systemctl restart wazuh-manager

Best regards,
Cristobal Lopez.

[Luke Lee]

Hi Cristobal 

Thanks for your reply. Let me try and see if this works. Thanks