Rule group "vulnerability-detector" not generating alerts

[Daniel D'Angeli]

Hi,

i'm tring to find vulnerabilities for windows sytems but the vulnerability detector is not generating any alert.

The Windows machines have cve affected packages so is not possibile that they are 100% safe.

Any help?

Regards,

Daniel D.

[Daniel D'Angeli]

In addition to that, i've installed 4.1.5 for Wazuh Server and agent

[Juan Manuel Utrera Garcia]

Hi Daniel,

On the one hand, There may be a problem with Syscollector, this could be because Syscollector is not getting the packages.

To discard this possibility, I would like to ask you to follow the next steps:

• Could you set the option wazuh_modules.debug to 2 in WAZUH-PATH/internal_options.conf?
• Could you restart Wazuh?
• Could you share with me the logs obtained?

On the other hand, it could be possible that the packages do not match with the CPE Helper. CPE Helper is a dictionary that converts the matches packages to CPE format to match correctly in the NVD.

Said this, I would like you to share some additional information:

• Could you share with me the agent packages collected by Wazuh? You could find them in the WUI, more specifically in: Agents -> Select Windows Agent -> Inventory Data -> Packages. There you could download a CSV file with the list of packages.
• Could you share with me the Windows updates? as I said in the question above, you could find them in the WUI, more specifically in: Agents -> Select Windows Agent -> Inventory Data -> Windows Updates

If you have any questions, do not doubt to ask us.

[Daniel D'Angeli]

Hi,

the Syscollector is working correctly. I can see every detail of the VM from the Wazuh App on Kibana.

You can find the packages and updates attached to this message.

Regards,

Daniel D.

[Daniel D'Angeli]

Hi,

quick update, the FW installed by the client blocks the nvd database download from wazuh. We believe that adjusting the FW rules will fix the issue.

I will update the thread once we find out.

Regards,

Daniel D.

[Daniel D'Angeli]

Hi,

we adjusted the FW rules but now it shows another error on the FW, which is "tcp client reset". After a tcpdump we found that the connection correctly work but then it abruptly shuts down.

As a sidenote it shows that the client version of Wazuh is 3.10 even though we have installed 4.1.5, so you maybe want to check that out.

We're still looking for a solution at the moment, i will update this thread with more info as soon as possibile.

Regards,

Daniel D.

[Juan Manuel Utrera Garcia]

Hi Daniel,

First of all, it is very rare that you install Wazuh v4.1.5 and get Wazuh v3.10 instead. So in addition to the FW problem, Wazuh v3.10 is already very outdated, at least for the vulnerability detector module (VDT), so to get VDT working correctly, I would ask you to try to upgrade your Wazuh client or reinstall Wazuh v4.1.5.

Here in our documentation, you could find out how to upgrade a Wazuh agent for Windows and how to install it.

Finally, I would like to ask you for some additional information:

• What is your Windows version?
• Do you have any other agents connected? if so, are you receiving alerts from them?
• Have you done a clean installation or did you have any other previous version of Wazuh?

 I am looking forward to your response.

Thank you!

[Daniel D'Angeli]

Hi,

we've managed to solve the problem.

There were some custom decoders that were disturbing the json decoder so no alerts were being generated.

Regards,

Daniel D.