Gap Identification in Wazuh: Vulnerability Risk Rating and Cross-Site Attack Detection

27 views
Skip to first unread message

Harish kannan

unread,
1:12 AM (20 hours ago) 1:12 AM
to Wazuh | Mailing List
Hello Wazuh Team,

We are a group of college students currently studying and exploring the Wazuh security platform. During our research, we identified a couple of potential gaps in the current implementation and would like to share them with you for consideration:

Vulnerability Risk Rating
Wazuh’s Vulnerability Detector module lists CVEs and related details but does not provide a built-in severity rating (e.g., High, Medium, Low) or CVSS score in a user-friendly manner.

This makes it harder for security teams to prioritize remediation efforts efficiently.

Cross-Site Attack Detection
Wazuh has strong log analysis capabilities but provides limited native support for detecting web-based vulnerabilities such as cross-site scripting (XSS) or cross-site request forgery (CSRF).

Currently, this requires additional integration with tools like ModSecurity or OWASP ZAP.

Recommendation:
Consider enhancing the Vulnerability Detector by integrating CVSS scoring or providing clearer risk prioritization within the dashboard.

Explore adding built-in detection or rules for common cross-site attacks to improve Wazuh’s web application security monitoring capabilities.

We appreciate the work the Wazuh team has done and hope these suggestions help further improve the platform.

We are also eager to work with your team.

Thank you,
Santhosh S
Akshai S
Harish K

hasitha.u...@wazuh.com

unread,
2:38 AM (18 hours ago) 2:38 AM
to Wazuh | Mailing List
Hi Harish and your team.

In the current Wazuh Vulnerability Detector module (enabled by default on the manager), we do integrate CVSS scores and severity ratings (e.g., Low, Medium, High, Critical) from sources like the Microsoft Security Updates (MSU), National Vulnerability Database (NVD), Open Source Vulnerabilities (OSV), Cybersecurity and Infrastructure Security Agency (CISA). These are pulled during scans that correlate your endpoint's software inventory (via Syscollector) with known CVEs, generating alerts with details like the CVSS v3 score (0-10 scale) and mapped severity.

Regarding your first query about CVSS scoring — yes, we do provide vulnerability severity ratings as High, Medium, and Low.

If you navigate to Threat Intelligence → Vulnerability Detection → Dashboard, you will see counts of vulnerabilities categorized as Critical, High, Medium, Low, and Pending evaluation.

Screenshot 2025-09-29 111615.png

Additionally, you can go to Threat Intelligence → Vulnerability Detection → Inventory.
From there, add the relevant field to the table by selecting Available fields and searching for vulnerability.score.base.
This will display the base vulnerability score in the results.

By default, you can also view the severity level (High, Medium, Low, Critical) under the vulnerability.severity field.

Screenshot 2025-09-29 112131.png
For more details, please refer to this: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html

Regarding Cross-Site Attack Detection, we have out-of-the-box rules in place in /var/ossec/ruleset/rules/0245-web_rules.xml, and you can also find other web attack-related rules in this file.

  1. <rule id="31154" level="10" frequency="10" timeframe="120">
  2.     <if_matched_sid>31105</if_matched_sid>
  3.     <same_source_ip />
  4.     <description>Multiple XSS (Cross Site Scripting) attempts </description>
  5.     <description>from same source ip.</description>
  6.     <mitre>
  7.       <id>T1059</id>
  8.     </mitre>
  9.     <group>attack,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.7,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  10.   </rule>
  11.  
  12. <rule id="31105" level="6">
  13.     <if_sid>31100</if_sid>
  14.     <url>%3Cscript|%3C%2Fscript|script>|script%3E|SRC=javascript|IMG%20|</url>
  15.     <url>%20ONLOAD=|INPUT%20|iframe%20</url>
  16.     <description>XSS (Cross Site Scripting) attempt.</description>
  17.     <mitre>
  18.       <id>T1059.007</id>
  19.     </mitre>
  20.     <group>attack,pci_dss_6.5,pci_dss_11.4,pci_dss_6.5.7,gdpr_IV_35.7.d,nist_800_53_SA.11,nist_800_53_SI.4,tsc_CC6.6,tsc_CC7.1,tsc_CC8.1,tsc_CC6.1,tsc_CC6.8,tsc_CC7.2,tsc_CC7.3,</group>
  21.   </rule>

Wazuh is a comprehensive security information and event management (SIEM) and extended detection and response (XDR) platform that emphasises host-based monitoring, log analysis, and compliance. Therefore, yes, for now, you need to integrate with ModSecurity, Suricata, etc.. to monitor web-based attacks. As you mentioned, yes, you can also integrate Wazuh with Suricata to detect network-related attacks. For example, you can check these third-party guides to enhance Wazuh detection regarding web based attacks.

Ref:

https://www.packtpub.com/en-SG/product/security-monitoring-with-wazuh-9781837632152/chapter/chapter-1-intrusion-detection-system-ids-using-wazuh-2/section/testing-web-based-attacks-using-dvwa-ch02lvl1sec07

Official site of Wazuh Suricata integration for your reference: https://documentation.wazuh.com/current/proof-of-concept-guide/integrate-network-ids-suricata.html

I truly appreciate that you chose Wazuh to explore its detection capabilities. Your suggestion is also highly valued and fully accepted.
Reply all
Reply to author
Forward
0 new messages