Old Dated CVE's are visible
110 views
Skip to first unread message
Jayesh Auti
Sep 3, 2024, 3:56:15 AM9/3/24
to Wazuh | Mailing List
Hi Wazuh Team,
As I can see the multiple old vulnerabilities are visible of Google Chrome and MS Office. Below are the CVE's
As I can see the multiple old vulnerabilities are visible of Google Chrome and MS Office. Below are the CVE's
CVE-2021-43905
CVE-2007-3109
CVE-2006-4694
CVE-2007-3282
CVE-2004-0848
CVE-1999-0794
CVE-2005-2127
CVE-2006-1540
CVE-2006-1311
CVE-2013-6662
Can you help me regarding to this?
Regards,
Jayesh
CVE-2007-3109
CVE-2006-4694
CVE-2007-3282
CVE-2004-0848
CVE-1999-0794
CVE-2005-2127
CVE-2006-1540
CVE-2006-1311
CVE-2013-6662
Can you help me regarding to this?
Regards,
Jayesh
Message has been deleted
Lamya Imam
Sep 3, 2024, 4:25:11 AM9/3/24
to Wazuh | Mailing List
The vulnerabilities that you have shared are false positive detections.
It has already been reported on GitHub:
https://github.com/wazuh/wazuh/issues/24178
Please do keep track of the open issue for any progress!
Additionally, you can prevent the alerts from triggering by adding a custom rule for CVEs, but the vulnerability will be still detected and will show in the vulnerability Dashboard:
For example:
<group name="vulnerability-detector">
<rule id="100010" level="0">
<if_sid>23505</if_sid>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<description>False positive</description>
</rule>
</group>
Hope this answers your question!
Jayesh Auti
Sep 3, 2024, 6:26:32 AM9/3/24
to Wazuh | Mailing List
Can you let me know in which file I should I add above configuration?
Lamya Imam
Sep 3, 2024, 6:34:27 AM9/3/24
to Wazuh | Mailing List
Hello Jayesh Auti,
You can create the custom rules from the dashboard at:
Server management > Rules > Custom rules > local_rules.xml
Or, from the Wazuh manager using the CLI command:
vi /var/ossec/etc/rules/local_rules.xml
Hope this helps!
You can create the custom rules from the dashboard at:
Server management > Rules > Custom rules > local_rules.xml
Or, from the Wazuh manager using the CLI command:
vi /var/ossec/etc/rules/local_rules.xml
Hope this helps!
Jayesh Auti
Sep 5, 2024, 2:47:26 AM9/5/24
to Wazuh | Mailing List
Hey,
I have used the below rule
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<description>False positive</description>
</rule>
</group>
I have used the below rule
<group name="vulnerability-detector">
<rule id="100010" level="0">
<if_sid>23505</if_sid>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<rule id="100010" level="0">
<if_sid>23505</if_sid>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<field name="vulnerability.cve">^CVE-2021-43905$</field>
<field name="vulnerability.cve">^CVE-2007-3109$</field>
<field name="vulnerability.cve">^CVE-2006-4694$</field>
<field name="vulnerability.cve">^CVE-2007-3282$</field>
<field name="vulnerability.cve">^CVE-2004-0848$</field>
<field name="vulnerability.cve">^CVE-1999-0794$</field>
<field name="vulnerability.cve">^CVE-2005-2127$</field>
<field name="vulnerability.cve">^CVE-2006-1540$</field>
<field name="vulnerability.cve">^CVE-2007-3109$</field>
<field name="vulnerability.cve">^CVE-2006-4694$</field>
<field name="vulnerability.cve">^CVE-2007-3282$</field>
<field name="vulnerability.cve">^CVE-2004-0848$</field>
<field name="vulnerability.cve">^CVE-1999-0794$</field>
<field name="vulnerability.cve">^CVE-2005-2127$</field>
<field name="vulnerability.cve">^CVE-2006-1540$</field>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<field name="vulnerability.cve">^CVE-2013-6662$</field>
<description>False positive</description>
</rule>
</group>
and when I tested the out put is
**Messages:
INFO: (7202): Session initialized with token '96c9394f'
**Phase 1: Completed pre-decoding.
full event: '<group name="vulnerability-detector">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <rule id="100010" level="0">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <if_sid>23505</if_sid>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2021-43905$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3109$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-4694$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3282$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2004-0848$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-1999-0794$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2005-2127$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1540$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2013-6662$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <description>False positive</description>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' </rule>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: '</group>'
**Phase 2: Completed decoding.
No decoder matched.
just let me know it is right or wrong.
Thank You
INFO: (7202): Session initialized with token '96c9394f'
**Phase 1: Completed pre-decoding.
full event: '<group name="vulnerability-detector">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <rule id="100010" level="0">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <if_sid>23505</if_sid>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2021-43905$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3109$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-4694$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3282$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2004-0848$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-1999-0794$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2005-2127$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1540$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2013-6662$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <description>False positive</description>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' </rule>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: '</group>'
**Phase 2: Completed decoding.
No decoder matched.
just let me know it is right or wrong.
Thank You
**Messages:
INFO: (7202): Session initialized with token '96c9394f'
**Phase 1: Completed pre-decoding.
full event: '<group name="vulnerability-detector">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <rule id="100010" level="0">'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <if_sid>23505</if_sid>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2021-43905$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3109$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-4694$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2007-3282$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2004-0848$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-1999-0794$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2005-2127$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1540$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2006-1311$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <field name="vulnerability.cve">^CVE-2013-6662$</field>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' <description>False positive</description>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: ' </rule>'
**Phase 2: Completed decoding.
No decoder matched.
**Phase 1: Completed pre-decoding.
full event: '</group>'
**Phase 2: Completed decoding.
No decoder matched.
Message has been deleted
Lamya Imam
Sep 12, 2024, 1:25:44 AM9/12/24
to Wazuh | Mailing List
Hello Jayesh Auti!
Apologies for the delayed response, I was on leave and am just catching up now. Thank you for your patience.
As you can already see that the test output is not working.
To fix this, verify the rule ID as it appears in your environment, since this varies depending on severity, and create a rule like this:
<field name="vulnerability.cve">^CVE-2024-3651$</field>
Let me know if this worked out for you!
Apologies for the delayed response, I was on leave and am just catching up now. Thank you for your patience.
As you can already see that the test output is not working.
To fix this, verify the rule ID as it appears in your environment, since this varies depending on severity, and create a rule like this:
<group name="vulnerability-detector">
<rule id="100010" level="0">
<if_sid>23505</if_sid>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<description>False positive</description>
</rule>
<rule id="100010" level="0">
<if_sid>23505</if_sid>
<field name="vulnerability.cve">^CVE-2006-1311$</field>
<description>False positive</description>
</rule>
<rule id="100011" level="0">
<if_sid>23504</if_sid><field name="vulnerability.cve">^CVE-2024-3651$</field>
<description>False positive</description>
</rule>
</group>
</rule>
</group>
Reply all
Reply to author
Forward
0 new messages