Need wild card Structure for red-hat-json vulnerability files

129 views
Skip to first unread message

Saddique Khan

unread,
Oct 11, 2023, 4:54:46 AM10/11/23
to Wazuh | Mailing List
Hello Team,

           I hope you are all good.
           I am trying to add json files in the ossec.Conf for wazuh manager for vulnerabilities check. I have already downloaded the files. These are from 1999 to 2023. I need to write a provider to use them. Could you please give me the wild card structure for these logs for using them in the provider.

cve_1999_page_1.json
cve_1999_page_10.json
cve_1999_page_11.json
cve_1999_page_12.json
cve_1999_page_13.json
cve_1999_page_14.json
cve_1999_page_15.json
cve_1999_page_16.json
cve_1999_page_17.json
cve_1999_page_18.json
cve_1999_page_19.js
cve_2000_page_1.json
cve_2000_page_10.json
cve_2000_page_11.json
cve_2000_page_12.json
cve_2000_page_13.json
cve_2000_page_14.json
cve_2000_page_15.json
cve_2000_page_16.json
cve_2000_page_17.json
cve_2000_page_18.json
cve_2000_page_19.json
cve_2000_page_2.json
cve_2000_page_20.json

I want to use them like this as according to wazuh documentations.

<provider name="redhat">
    <enabled>yes</enabled>
    <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>
    <update_interval>1h</update_interval>
</provider>

Regards,
Saddique 

Saddique Khan

unread,
Oct 11, 2023, 5:04:26 AM10/11/23
to Wazuh | Mailing List
I put it like this and it vulnerability module just started throwing the error.

<provider name="redhat">
<enabled>yes</enabled>
<path>/var/ossec/feeds/cve_.*\+\.json$</path>
<update_interval>1h</update_interval>
</provider> 

Regards,
Saddique

Screenshot 2023-10-11 at 11.02.50.png

Saddique Khan

unread,
Oct 11, 2023, 5:13:24 AM10/11/23
to Wazuh | Mailing List
Please not that my system has not been connected to internet. I have downloaded the json file on my local machine. Now I want to use them for vulnerabilities.

Md. Nazmur Sakib

unread,
Oct 11, 2023, 6:17:13 AM10/11/23
to Wazuh | Mailing List

Hi Saddique Khan,


Hope you are doing well. Thank you for using Wazuh.


The example shared in the documentation is for this following format.

redhat-feed10.json


<provider name="redhat">

    <enabled>yes</enabled>

    <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>

    <update_interval>1h</update_interval>

</provider>


The wildcard option using * does not seems to be working. Also, the pattern of the regex in the path option is also different from the option for the ruleset of Wazuh. You can try the following workaround.

For pattern 

cve_2000_page_20.json

cve_1999_page_10.json



<path>/local_path/rh-feed/cve_[[:digit:]]\+_page_[[:digit:]]\+\.json$</path>


Or 


<path>/local_path/rh-feed/cve_2000_page_[[:digit:]]\+\.json$</path>

<path>/local_path/rh-feed/cve_1999_page_[[:digit:]]\+\.json$</path>


Please let me know if this solves your issue.


Regards

Md. Nazmur Sakib

Saddique Khan

unread,
Oct 11, 2023, 7:08:50 AM10/11/23
to Wazuh | Mailing List
Hello Nazmur,

         Thanks for the quick reply. I appreciate it. 
         Could you please correct me about the local_path? what is the exact location of it? I have put all the cve files in /var/ossec/feeds folder.  Should it be correct to use with the following way?
 
        <path>/var/ossec/feeds/cve_[[:digit:]]\+_page_[[:digit:]]\+\.json$</path>

Regards,
Saddique

Saddique Khan

unread,
Oct 11, 2023, 8:53:21 AM10/11/23
to Wazuh | Mailing List
Hello Nazmur,

                This is my files collection in the container. the path is /var/ossec/feeds. You can see the files in the screenshot.

Regards,
SaddiqueScreenshot 2023-10-11 at 14.51.54.png

Md. Nazmur Sakib

unread,
Oct 12, 2023, 5:53:53 AM10/12/23
to Wazuh | Mailing List

Hi Saddique Khan,


Based on the file path and file names, the path should be similar to 


<path>/var/ossec/feeds/cve_[[:digit:]]\+_page_[[:digit:]]\+\.json$</path>



Regards


Md. Nazmur Sakib

Saddique Khan

unread,
Oct 12, 2023, 7:12:56 AM10/12/23
to Wazuh | Mailing List
Hello Nazmur,

       I have downloaded the exactly same files using rh-generator.sh script. I have put in the feeds and configure it as mentioned in the wazuh documents. Howevere, I face this issue in the logs.

   
Thu, Oct 12 2023 1:09:31 pm
2023/10/12 11:09:31 wazuh-modulesd: INFO: (5586): No feeds specified for 'redhat' provider. Enabling all the available ones.
Thu, Oct 12 2023 1:09:31 pm
2023/10/12 11:09:31 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'jredhat' will be updated offline.
Thu, Oct 12 2023 1:09:41 pm
2023/10/12 11:09:41 wazuh-modulesd: INFO: (5586): No feeds specified for 'redhat' provider. Enabling all the available ones.
Thu, Oct 12 2023 1:09:41 pm
2023/10/12 11:09:41 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'jredhat' will be updated offline.

Regards,
Saddique

Saddique Khan

unread,
Oct 12, 2023, 7:54:41 AM10/12/23
to Wazuh | Mailing List
Hello Nazmur,

           This is my ossec.conf configuration.

<provider name="redhat">
        <enabled>yes</enabled>
        <path>/var/ossec/feeds/redhat-feed[[:digit:]]\+\.json$</path>
        <update_interval>1h</update_interval>
  </provider>

Saddique Khan

unread,
Oct 13, 2023, 3:27:57 AM10/13/23
to Wazuh | Mailing List
Hello Namzure,

           I have downloaded all the relevant files using the wazuh rh-generator script. You can see their list in the snapshot. I put them on Container volume on localto be permanent.

<provider name="redhat">
         <enabled>yes</enabled>
         <os url="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>
         <os url="/local_path/hel-6-including-unpatched.oval.xml.bz2">6</os>
         <os url="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>
         <os url="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>
         <os url="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>
         <path>/local_path/redhat-feed[[:digit:]]\+\.json$</path>
         <update_interval>1h</update_interval>
      </provider>

But still, vulnerability dashboard looks empty. I checked the events and they are coming but no scan till now..

Regards,
Saddique

Screenshot 2023-10-13 at 09.03.05.png

Md. Nazmur Sakib

unread,
Oct 13, 2023, 3:49:00 AM10/13/23
to Wazuh | Mailing List

Hi Saddique Khan,


Hope you are doing well. 


What is the status of the vulnerability feed update for Red Hat?

Check osssec.log


cat /var/ossec/logs/ossec.log | grep wazuh-modulesd


There should be a similar log if your feed is updated successfully.


2023/10/04 10:03:47 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully.


Are you getting the same warning that you have shared previously?


2023/10/12 11:09:41 wazuh-modulesd: INFO: (5586): No feeds specified for 'redhat' provider. Enabling all the available ones.

Thu, Oct 12 2023 1:09:41 pm

2023/10/12 11:09:41 wazuh-modulesd: WARNING: (5587): Feed conflict. Only 'jredhat' will be updated offline.


Looking forward to your response.


Regards

Md. Nazmur Sakib

Saddique Khan

unread,
Oct 13, 2023, 4:19:33 AM10/13/23
to Wazuh | Mailing List
Hello Nazmur,

         I can see these warnings:

        
023/10/13 08:12:01 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 6' database could not be fetched.
Fri, Oct 13 2023 10:12:01 am
2023/10/13 08:12:01 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 7' database update.
Fri, Oct 13 2023 10:12:11 am
2023/10/13 08:12:11 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 7' database could not be fetched.
Fri, Oct 13 2023 10:12:11 am
2023/10/13 08:12:11 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 8' database update.
Fri, Oct 13 2023 10:12:21 am
2023/10/13 08:12:21 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 8' database could not be fetched.
Fri, Oct 13 2023 10:12:21 am
2023/10/13 08:12:21 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Red Hat Enterprise Linux 9' database update.
Fri, Oct 13 2023 10:12:31 am
2023/10/13 08:12:31 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'Red Hat Enterprise Linux 9' database could not be fetched.
Fri, Oct 13 2023 10:12:31 am
2023/10/13 08:12:31 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'JSON Red Hat Enterprise Linux' database update.
Fri, Oct 13 2023 10:12:32 am
2023/10/13 08:12:32 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'JSON Red Hat Enterprise Linux' feed finished successfully.
Fri, Oct 13 2023 10:12:32 am
2023/10/13 08:12:32 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
Fri, Oct 13 2023 10:12:32 am
2023/10/13 08:12:32 wazuh-modulesd:vulnerability-detector: ERROR: (5551): Invalid multi_path '/local_path/rh-feed': 'feed not found'
Fri, Oct 13 2023 10:12:32 am
2023/10/13 08:12:32 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.

This is result. My path rh-feed is correct for sure. you see it from the snapshot.

Regards,
Saddique
Screenshot 2023-10-13 at 10.16.10.png

Md. Nazmur Sakib

unread,
Oct 13, 2023, 5:57:48 AM10/13/23
to Wazuh | Mailing List

Hi Saddique Khan,



I was trying to reproduce the issue following the document. However, I was unable to produce the error.


Redhat vulnerability configuration:



    <!-- RedHat OS vulnerabilities -->

    <provider name="redhat">

      <enabled>yes</enabled>

      <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>

      <update_interval>5m</update_interval>

    </provider>


My folder location:


Status of vulnerability feed update:



Also as you can see the physical scan was done based on the offline vulnerability JSON data. 



Regards

Md. Nazmur Sakib

Saddique Khan

unread,
Oct 13, 2023, 6:27:49 AM10/13/23
to Wazuh | Mailing List

Hello Nazmur,

          Thanks for sharing the results. May i ask that anything needs to be done on agent ossec.conf? Like any logs path or something?

Regards.
Saddique

Saddique Khan

unread,
Oct 13, 2023, 10:53:45 AM10/13/23
to Wazuh | Mailing List
Hello Nazmur,

         Are you running wazuh on kubernetes? and does wazuh has internet access?

Regards
Saddique

Md. Nazmur Sakib

unread,
Oct 19, 2023, 1:43:20 AM10/19/23
to Wazuh | Mailing List

Hi Saddique Khan,

Hope you are doing well. Sorry for the late reply.



I have tried this without an internet connection and this is my result. As you can see the JSON Red Hat Enterprise Linux database was updated successfully with an offline feed.


<provider name="redhat">

    <enabled>yes</enabled>

    <path>/local_path/rh-feed/redhat-feed[[:digit:]]\+\.json$</path>

    <update_interval>1h</update_interval>

</provider>



Next, I used the relevant path inside /var/ossec and was unable to update using the relevant path.



I could only reproduce your issue when Wazuh could not read the JSON files, the regex format was incorrect, or the JSON file was missing inside the path.


I think the issue is either one of these.


The regex type used to open the feed files is POSIX regex. Recheck if you are using the write regex pattern.


Try updating the file permission so that Wazuh can read from those files.


Also if you are loading the OVAL feed from a local path. To achieve this, use the path attribute as this example shows.



<provider name="redhat">

   <enabled>yes</enabled>

   <os path="/local_path/com.redhat.rhsa-RHEL5.xml.bz2">5</os>

   <os path="/local_path/rhel-6-including-unpatched.oval.xml.bz2">6</os>

   <os path="/local_path/rhel-7-including-unpatched.oval.xml.bz2">7</os>

   <os path="/local_path/rhel-8-including-unpatched.oval.xml.bz2">8</os>

   <os path="/local_path/rhel-9-including-unpatched.oval.xml.bz2">9</os>

   <update_interval>1h</update_interval>

</provider>



I hope this helps. Please let me know if you need any further assistance.


Regards

Md. Nazmur Sakib

Reply all
Reply to author
Forward
0 new messages