Old Dated CVE's are visible

110 views
Skip to first unread message

Jayesh Auti

unread,
Sep 3, 2024, 3:56:15 AM9/3/24
to Wazuh | Mailing List
Hi Wazuh Team,

As I can see the multiple old vulnerabilities are visible of Google Chrome and MS Office. Below are the CVE's

CVE-2021-43905
CVE-2007-3109

CVE-2006-4694

CVE-2007-3282

CVE-2004-0848

CVE-1999-0794

CVE-2005-2127

CVE-2006-1540

CVE-2006-1311

CVE-2013-6662

Can you help me regarding to this?

Regards,
Jayesh
Message has been deleted

Lamya Imam

unread,
Sep 3, 2024, 4:25:11 AM9/3/24
to Wazuh | Mailing List

The vulnerabilities that you have shared are false positive detections.
It has already been reported on GitHub:
https://github.com/wazuh/wazuh/issues/24178
Please do keep track of the open issue for any progress!

Additionally, you can prevent the alerts from triggering by adding a custom rule for CVEs, but the vulnerability will be still detected and will show in the vulnerability Dashboard:
For example:
<group name="vulnerability-detector">
  <rule id="100010" level="0">
    <if_sid>23505</if_sid>
    <field name="vulnerability.cve">^CVE-2006-1311$</field>
    <description>False positive</description>
  </rule>
</group>


Hope this answers your question!

Jayesh Auti

unread,
Sep 3, 2024, 6:26:32 AM9/3/24
to Wazuh | Mailing List
Can you let me know in which file I should I add above configuration?

Lamya Imam

unread,
Sep 3, 2024, 6:34:27 AM9/3/24
to Wazuh | Mailing List
Hello Jayesh Auti,

You can create the custom rules from the dashboard at:
Server management > Rules > Custom rules > local_rules.xml

Or, from the Wazuh manager using the CLI command:
vi /var/ossec/etc/rules/local_rules.xml

Hope this helps!

Jayesh Auti

unread,
Sep 5, 2024, 2:47:26 AM9/5/24
to Wazuh | Mailing List
Hey,

I have used the below rule 

<group name="vulnerability-detector">
  <rule id="100010" level="0">
    <if_sid>23505</if_sid>
    <field name="vulnerability.cve">^CVE-2006-1311$</field>
    <field name="vulnerability.cve">^CVE-2021-43905$</field>
    <field name="vulnerability.cve">^CVE-2007-3109$</field>
    <field name="vulnerability.cve">^CVE-2006-4694$</field>
    <field name="vulnerability.cve">^CVE-2007-3282$</field>
    <field name="vulnerability.cve">^CVE-2004-0848$</field>
    <field name="vulnerability.cve">^CVE-1999-0794$</field>
    <field name="vulnerability.cve">^CVE-2005-2127$</field>
    <field name="vulnerability.cve">^CVE-2006-1540$</field>

    <field name="vulnerability.cve">^CVE-2006-1311$</field>
    <field name="vulnerability.cve">^CVE-2013-6662$</field>

    <description>False positive</description>
  </rule>
</group>

and when I tested the out put is 


**Messages:
INFO: (7202): Session initialized with token '96c9394f'

**Phase 1: Completed pre-decoding.
full event: '<group name="vulnerability-detector">'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '  <rule id="100010" level="0">'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <if_sid>23505</if_sid>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2006-1311$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2021-43905$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2007-3109$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2006-4694$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2007-3282$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2004-0848$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-1999-0794$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2005-2127$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2006-1540$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2006-1311$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <field name="vulnerability.cve">^CVE-2013-6662$</field>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '    <description>False positive</description>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '  </rule>'

**Phase 2: Completed decoding.
No decoder matched.

**Phase 1: Completed pre-decoding.
full event: '</group>'

**Phase 2: Completed decoding.
No decoder matched.

just let me know it is right or wrong.

Thank You

**Messages: INFO: (7202): Session initialized with token '96c9394f' **Phase 1: Completed pre-decoding. full event: '<group name="vulnerability-detector">' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <rule id="100010" level="0">' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <if_sid>23505</if_sid>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2021-43905$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2007-3109$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2006-4694$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2007-3282$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2004-0848$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-1999-0794$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2005-2127$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2006-1540$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <field name="vulnerability.cve">^CVE-2013-6662$</field>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' <description>False positive</description>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: ' </rule>' **Phase 2: Completed decoding. No decoder matched. **Phase 1: Completed pre-decoding. full event: '</group>' **Phase 2: Completed decoding. No decoder matched.
Message has been deleted

Lamya Imam

unread,
Sep 12, 2024, 1:25:44 AM9/12/24
to Wazuh | Mailing List
Hello Jayesh Auti!
Apologies for the delayed response, I was on leave and am just catching up now. Thank you for your patience.

As you can already see that the test output is not working.
To fix this, verify the rule ID as it appears in your environment, since this varies depending on severity, and create a rule like this:

<group name="vulnerability-detector">
  <rule id="100010" level="0">
    <if_sid>23505</if_sid>
    <field name="vulnerability.cve">^CVE-2006-1311$</field>
    <description>False positive</description>
  </rule>

 <rule id="100011" level="0">
    <if_sid>23504</if_sid>
    <field name="vulnerability.cve">^CVE-2024-3651$</field>
    <description>False positive</description>
  </rule>
</group>


Let me know if this worked out for you!
Reply all
Reply to author
Forward
0 new messages