Mute vulnerabilities from wazuh vulnerability scan
152 views
Skip to first unread message
Kodoku Zetsuna
Mar 30, 2023, 10:59:54 AM3/30/23
to Wazuh mailing list
I have detected vulnerabilities from the wazuh scan that I would like to silence
specifically "apparmor" CVE: CVE-2016-1585
I've created this custom rule, but it doesn't seem to work as I keep seeing the alert. Can someone help me to find out what I'm doing wrong?:
<group name=" vulnerability-detector">
<rule id="120001" level="0">
<if_sid>23506</if_sid>
<list field="vulnerability.cve" lookup="match_key">/var/ossec/etc/lists/vuln-whitelist</list>
<group>vulnerability-detector</group>
<description>Whitelist</description>
</rule>
</group>
/var/ossec/etc/lists/vuln-whitelist:
CVE-2016-1585:
NOTE:
I have added the appropriate configuration to ossec.conf:
<list>etc/lists/vuln-whitelist</list>
Any ideas?
I've created this custom rule, but it doesn't seem to work as I keep seeing the alert. Can someone help me to find out what I'm doing wrong?:
<group name=" vulnerability-detector">
<rule id="120001" level="0">
<if_sid>23506</if_sid>
<list field="vulnerability.cve" lookup="match_key">/var/ossec/etc/lists/vuln-whitelist</list>
<group>vulnerability-detector</group>
<description>Whitelist</description>
</rule>
</group>
/var/ossec/etc/lists/vuln-whitelist:
CVE-2016-1585:
NOTE:
I have added the appropriate configuration to ossec.conf:
<list>etc/lists/vuln-whitelist</list>
Any ideas?
Fabricio Brunetti
Apr 3, 2023, 8:58:53 AM4/3/23
to Wazuh mailing list
Hello Kodoku Setsuna,
Hope you are doing well.
Your rule looks ok and the whitelist file also looks ok.
The only thing in the rule that might be wrong is the path to the list, try with
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-whitelist</list>
Let me know if this works for you.
Regards,
Fabricio Brunetti
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-whitelist</list>
Let me know if this works for you.
Regards,
Fabricio Brunetti
Fabricio Brunetti
Apr 5, 2023, 7:14:33 PM4/5/23
to Kodoku Zetsuna, Wazuh mailing list
I tested it with wazuh-logtest and it is working for me.
Could you share the log, or maybe we can check the output of the rule using wazuh-logtest on your wazuh-manager?
Regards,
Fabricio
On Tue, Apr 4, 2023 at 6:36 PM Kodoku Zetsuna <zko...@gmail.com> wrote:
Thanks for your help! I tried it but it didn't work
--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/IXjw9RRMZ6g/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/3b1179c1-ade9-472a-9f87-85e3c08c671en%40googlegroups.com.
Kodoku Zetsuna
Apr 7, 2023, 4:14:35 AM4/7/23
to Fabricio Brunetti, Wazuh mailing list
Thanks for your help! I tried it but it didn't work
El lun, 3 abr 2023 a la(s) 06:58, 'Fabricio Brunetti' via Wazuh mailing list (wa...@googlegroups.com) escribió:
Message has been deleted
Fabricio Brunetti
Apr 12, 2023, 7:55:49 AM4/12/23
to Wazuh mailing list
Let me know if we can help you debug the issue using wazhu-logtest.
Regards,
Fabricio
Kodoku Zetsuna
Apr 28, 2023, 10:25:40 AM4/28/23
to Fabricio Brunetti, Wazuh mailing list
Sorry for the delay, I decided to postpone this activity. what log did you run to do the test in wazuh-logtest?
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/fe837777-c423-43a6-8ec8-3b55d78676f6n%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages