Vulnerability Detection problem in SLES15 with Wazuh 4.4.3
125 views
Skip to first unread message
Bruno Santolin Dornelles Franco
May 26, 2023, 5:58:55 PM5/26/23
to Wazuh mailing list
Hello Everyone,
I'm having Wazuh Server 4.4.3 and the Vulnerability Detection isn't working with SLES15-SP4. The agent version is the same as the server. The server is Debian 11.7.0-amd64
The Vulnerabilities have no data.
I tested with 2 diferrent SLES15-SP4 machines.
I queried on the database and the machines
OS_NAME attribute is SLES15
Also, I tested with RHEL 8.3 and it is working!
Finally, this SLES is a SAP variant:
NAME="SLES"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
VARIANT_ID="sles-sap"
VERSION="15-SP4"
VERSION_ID="15.4"
PRETTY_NAME="SUSE Linux Enterprise Server 15 SP4"
ID="sles"
ID_LIKE="suse"
ANSI_COLOR="0;32"
CPE_NAME="cpe:/o:suse:sles:15:sp4"
VARIANT_ID="sles-sap"
Thanks for help me!
Server Vulnerability Detection confs:
Agent Vulnerability Detection confs:
Agents SLES listed on database:
Vulnerability Detection no data:
Bruno Santolin Dornelles Franco
May 29, 2023, 5:50:55 PM5/29/23
to Wazuh mailing list
Natalia Castillo
May 29, 2023, 6:10:52 PM5/29/23
to Wazuh mailing list
Hi!
Sorry for the delay, I am already analysing the issue you are facing. Let me check some details with my team and I will come back as soon as I have a solution.
Thank you for your patience!
Regards.
Sorry for the delay, I am already analysing the issue you are facing. Let me check some details with my team and I will come back as soon as I have a solution.
Thank you for your patience!
Regards.
Bruno Santolin Dornelles Franco
May 29, 2023, 7:10:30 PM5/29/23
to Wazuh mailing list
Hi
Natalia,
Thank you very much!
Bruno Santolin Dornelles Franco
Jun 2, 2023, 9:31:58 AM6/2/23
to Wazuh mailing list
Hi Natalia,
Any update?
Natalia Castillo
Jun 6, 2023, 2:13:58 PM6/6/23
to Wazuh mailing list
Hi Bruno!
Thank you so much for your patience and sorry for the delay.
Analysing what you present, it could be that there is a problem with vulnerability feeds. To be sure that they are being downloaded and validated correctly, you can add in the server configuration the specific path or URL (following the documentation). Try adding this and test again. You can validate that the feed is there with this query:Find more about it in this documentation: Querying the vulnerability database.
You can also run in debug the modulesd and check the Vulnerability detector logs.
Try this and tell me how it goes!
If you have any further question, don´t hesitate to ask.
Regards.
Thank you so much for your patience and sorry for the delay.
Analysing what you present, it could be that there is a problem with vulnerability feeds. To be sure that they are being downloaded and validated correctly, you can add in the server configuration the specific path or URL (following the documentation). Try adding this and test again. You can validate that the feed is there with this query:Find more about it in this documentation: Querying the vulnerability database.
You can also run in debug the modulesd and check the Vulnerability detector logs.
Try this and tell me how it goes!
If you have any further question, don´t hesitate to ask.
Regards.
Natalia Castillo
Jun 19, 2023, 3:12:01 AM6/19/23
to Wazuh mailing list
Hi!
Debugging and trying to replicate your problem I couldn't find what might be the reason it isn't working. It looks like everything is fine with the vulnerability feeds, but can you please check the database of the agents and check the corresponding feed? Here's a guide. This to check for alerts and vulnerability information and make sure if something is showing up there.
Also, since the SLES15 feed is up to date and the Syscollector configuration is correct, it might be that your agents may not have known vulnerabilities.
As well, to rule out a firewall problem, can you check the outbound firewall rule?
Debugging and trying to replicate your problem I couldn't find what might be the reason it isn't working. It looks like everything is fine with the vulnerability feeds, but can you please check the database of the agents and check the corresponding feed? Here's a guide. This to check for alerts and vulnerability information and make sure if something is showing up there.
Also, since the SLES15 feed is up to date and the Syscollector configuration is correct, it might be that your agents may not have known vulnerabilities.
As well, to rule out a firewall problem, can you check the outbound firewall rule?
Reply all
Reply to author
Forward
0 new messages