Can't find package location
232 views
Skip to first unread message
Sep Tim
Aug 24, 2021, 2:18:52 PM8/24/21
to Wazuh mailing list
Hello, team! I'm having trouble finding the installation location for some vulnerable packages that Wazuh detected, even though it does display the location of some other packages. Is there some place other than the GUI where I could check this information? Thanks in advance!
Emiliano Zorn
Aug 24, 2021, 6:08:27 PM8/24/21
to Wazuh mailing list
Hello septim!
You can check the information directly from the logs.
If you mean where can you find the alert message, you can do it inside Kibana (WAZUH) -> Security events, in the address of the location field of your alert event.
Usually these events can be found in /var/log/* or var/ossec/log/*.
Write back if you need more help! I'll be waiting for your response.
Regards,
Emiliano Zorn.
Sep Tim
Aug 25, 2021, 1:08:23 AM8/25/21
to Wazuh mailing list
Hello, Emiliano! First of all, thank you for your time.
I think I wasn't as clear as I thought I was when I first phrased my question. My issue is precisely with the Kibana -> Vulnerabilities module. I was trying to find a way to (remotely, from the manager) know where it is in the agent's system that Wazuh detected the installed vulnerable package. For example: Wazuh detects that host A has Flash installed, and generates a Vulnerabilities event. Is it possible to view in this event, or on the agent's dashboard, where exactly Flash is installed?
Cheers
Hanes Nahuel Sciarrone
Aug 25, 2021, 11:30:47 AM8/25/21
to Wazuh mailing list
Hi seeptim!!
Also, I would like to see some packages example with the issue. Could you please send us a screenshot where you saw a package that shows the path and another one that did not?
Best regards
Hanes
Sep Tim
Aug 26, 2021, 12:36:30 PM8/26/21
to Wazuh mailing list
Hello, Hanes! We are currently running the vulnerability detector on the default configuration. I will now attach an example that illustrates our current problem: on the exported CSV obtained from the Inventory Data section, you can see that many packages have their locations on its corresponding column, but some of them don't (for example, Oracle VM VirtualBox).
We would be very grateful if you could help us with this! Thank you in advance.
Hanes Nahuel Sciarrone
Aug 26, 2021, 3:07:10 PM8/26/21
to Wazuh mailing list
Hi Seeptim!
I could see your issue. I would like to see your ossec.conf of the agent side to understand a bit more your configuration. Could you please send me your oseec.conf file?. Also, if you run the Wazuh agent on Windows, apparently that is the case you should see <hotfixes>yes</hotfixes> field on ossec.conf file.
Best regards
Hanes
Message has been deleted
Message has been deleted
Sep Tim
Aug 27, 2021, 9:42:17 AM8/27/21
to Wazuh mailing list
Hello, Hanes! I hope you're having a great day. I will dump my agent's ossec.conf file's contents here like you asked!
<!--
Wazuh - Agent - Default configuration for Windows
More info at: https://documentation.wazuh.com
Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->
<ossec_config>
<client>
<server>
<address>[REDACTED]</address>
<port>1514</port>
<protocol>tcp</protocol>
</server>
<crypto_method>aes</crypto_method>
<notify_time>10</notify_time>
<time-reconnect>60</time-reconnect>
<auto_restart>yes</auto_restart>
</client>
<!-- Agent buffer options -->
<client_buffer>
<disabled>no</disabled>
<queue_size>5000</queue_size>
<events_per_second>500</events_per_second>
</client_buffer>
<!-- Log analysis -->
<localfile>
<location>Application</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>Security</location>
<log_format>eventchannel</log_format>
<query>Event/System[EventID != 5145 and EventID != 5156 and EventID != 5447 and
EventID != 4656 and EventID != 4658 and EventID != 4663 and EventID != 4660 and
EventID != 4670 and EventID != 4690 and EventID != 4703 and EventID != 4907 and
EventID != 5152 and EventID != 5157]</query>
</localfile>
<localfile>
<location>System</location>
<log_format>eventchannel</log_format>
</localfile>
<localfile>
<location>active-response\active-responses.log</location>
<log_format>syslog</log_format>
</localfile>
<!-- Policy monitoring -->
<rootcheck>
<disabled>no</disabled>
<windows_apps>./shared/win_applications_rcl.txt</windows_apps>
<windows_malware>./shared/win_malware_rcl.txt</windows_malware>
</rootcheck>
<!-- Security Configuration Assessment -->
<sca>
<enabled>yes</enabled>
<scan_on_start>yes</scan_on_start>
<interval>12h</interval>
<skip_nfs>yes</skip_nfs>
</sca>
<!-- File integrity monitoring -->
<syscheck>
<disabled>no</disabled>
<!-- Frequency that syscheck is executed default every 12 hours -->
<frequency>43200</frequency>
<!-- Default files to be monitored. -->
<directories recursion_level="0" restrict="regedit.exe$|system.ini$|win.ini$">%WINDIR%</directories>
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedt32.exe|regsvr32.exe|runas.exe|sc.exe|schtasks.exe|sethc.exe|subst.exe$">%WINDIR%\SysNative</directories>
<directories recursion_level="0">%WINDIR%\SysNative\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\SysNative\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\SysNative\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\SysNative</directories>
<!-- 32-bit programs. -->
<directories recursion_level="0" restrict="at.exe$|attrib.exe$|cacls.exe$|cmd.exe$|eventcreate.exe$|ftp.exe$|lsass.exe$|net.exe$|net1.exe$|netsh.exe$|reg.exe$|regedit.exe$|regedt32.exe$|regsvr32.exe$|runas.exe$|sc.exe$|schtasks.exe$|sethc.exe$|subst.exe$">%WINDIR%\System32</directories>
<directories recursion_level="0">%WINDIR%\System32\drivers\etc</directories>
<directories recursion_level="0" restrict="WMIC.exe$">%WINDIR%\System32\wbem</directories>
<directories recursion_level="0" restrict="powershell.exe$">%WINDIR%\System32\WindowsPowerShell\v1.0</directories>
<directories recursion_level="0" restrict="winrm.vbs$">%WINDIR%\System32</directories>
<directories realtime="yes">%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup</directories>
<ignore>%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini</ignore>
<ignore type="sregex">.log$|.htm$|.jpg$|.png$|.chm$|.pnf$|.evtx$</ignore>
<!-- Windows registry entries to monitor. -->
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\batfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\cmdfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\comfile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\exefile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\piffile</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\AllFilesystemObjects</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Directory</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Classes\Folder</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Classes\Protocols</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Policies</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Security</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\KnownDLLs</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce</windows_registry>
<windows_registry>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\URL</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon</windows_registry>
<windows_registry arch="both">HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components</windows_registry>
<!-- Windows registry entries to ignore. -->
<registry_ignore>HKEY_LOCAL_MACHINE\Security\Policy\Secrets</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Security\SAM\Domains\Account\Users</registry_ignore>
<registry_ignore type="sregex">\Enum$</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\AppCs</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSIn</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\IPTLSOut</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PolicyAgent\Parameters\Cache</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnceEx</registry_ignore>
<registry_ignore>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ADOVMPPackage\Final</registry_ignore>
<!-- Frequency for ACL checking (seconds) -->
<windows_audit_interval>60</windows_audit_interval>
<!-- Nice value for Syscheck module -->
<process_priority>10</process_priority>
<!-- Maximum output throughput -->
<max_eps>100</max_eps>
<!-- Database synchronization settings -->
<synchronization>
<enabled>yes</enabled>
<interval>5m</interval>
<max_interval>1h</max_interval>
<max_eps>10</max_eps>
</synchronization>
</syscheck>
<!-- System inventory -->
<wodle name="syscollector">
<disabled>no</disabled>
<interval>1h</interval>
<scan_on_start>yes</scan_on_start>
<hardware>yes</hardware>
<os>yes</os>
<network>yes</network>
<packages>yes</packages>
<ports all="no">yes</ports>
<processes>yes</processes>
</wodle>
<!-- CIS policies evaluation -->
<wodle name="cis-cat">
<disabled>yes</disabled>
<timeout>1800</timeout>
<interval>1d</interval>
<scan-on-start>yes</scan-on-start>
<java_path>\\server\jre\bin\java.exe</java_path>
<ciscat_path>C:\cis-cat</ciscat_path>
</wodle>
<!-- Osquery integration -->
<wodle name="osquery">
<disabled>yes</disabled>
<run_daemon>yes</run_daemon>
<bin_path>C:\Program Files\osquery\osqueryd</bin_path>
<log_path>C:\Program Files\osquery\log\osqueryd.results.log</log_path>
<config_path>C:\Program Files\osquery\osquery.conf</config_path>
<add_labels>yes</add_labels>
</wodle>
<!-- Active response -->
<active-response>
<disabled>no</disabled>
<ca_store>wpk_root.pem</ca_store>
<ca_verification>yes</ca_verification>
</active-response>
<!-- Choose between plain or json format (or both) for internal logs -->
<logging>
<log_format>plain</log_format>
</logging>
</ossec_config>
<!-- END of Default Configuration. -->
I looked for 'hotfixes' on the file, but could not find it.
Thank you in advance!
Hanes Nahuel Sciarrone
Aug 27, 2021, 12:32:05 PM8/27/21
to Wazuh mailing list
Hi Seeptim!
I saw your ossec.conf, it looks good. I explain to you how to work vulnerability detector on Wazuh to clarify some concepts. Vulnerability detector consumes data getting by Syscollector and compares it with database vulnerability used by Wazuh to indicate packages vulnerability. So, could you please go to Dev tools on the Kibana interface and execute the following query?
GET /syscollector/009/packages
You should change 009 ID to agent ID that has issues. I attached an image as an example where you could see the result of the query.
When you have it, could you please search any vulnerability package without the location that appears on the vulnerability detector interface and compare that on JSON of the query to see if it has the "location" field?
If you don't have it, I could think that the problem comes from the syscollector.
A few days ago, Wazuh announced the new release 4.2, where Syscollector was modified. This release may solve the issue so, I would like to suggest an update to Wazuh 4.2.
If the problem continues, we can open a new issue to attack this.
I saw your ossec.conf, it looks good. I explain to you how to work vulnerability detector on Wazuh to clarify some concepts. Vulnerability detector consumes data getting by Syscollector and compares it with database vulnerability used by Wazuh to indicate packages vulnerability. So, could you please go to Dev tools on the Kibana interface and execute the following query?
GET /syscollector/009/packages
You should change 009 ID to agent ID that has issues. I attached an image as an example where you could see the result of the query.
When you have it, could you please search any vulnerability package without the location that appears on the vulnerability detector interface and compare that on JSON of the query to see if it has the "location" field?
If you don't have it, I could think that the problem comes from the syscollector.
A few days ago, Wazuh announced the new release 4.2, where Syscollector was modified. This release may solve the issue so, I would like to suggest an update to Wazuh 4.2.
If the problem continues, we can open a new issue to attack this.
Best regards
Hanes
Reply all
Reply to author
Forward
0 new messages