How to exclude google chrome's vulnerability.
157 views
Skip to first unread message
Prajapati Hitesh
Aug 27, 2023, 4:50:39 AM8/27/23
to Wazuh | Mailing List
Hi,
I'm using Wazuh 4.4.1 version. I need your help to exclude exclude google chrome's vulnerability. Google Chrome's latest updates are not supported by server 2012 R2, so it appears in Wazuh's vulnerability list. My issue has not been resolved even after trying the below steps in the past.
The vulnerability detection module has changed a lot since that post, still you can apply some steps from there. I recommend you the following:
1) First, create a list to include the vulnerabilities you do not want to report.
Create this list from the Wazuh Web UI in Management > CDB lists
2) Add the vulnerabilities to that file following the format CVE:Description.
Add the CVE under the key box and the Description under the value box
3) Add the list to the ossec.conf file using the <list> option.
You can do this from the Wazuh Web UI too, Management > Configuration
4) Compile the CDB list. This is not necessary anymore
5) Create a rule that uses this list and ignore the vulnerability using level 0.
<group name="vulnerability-silence">
<rule id="103777" level="0">
<if_sid>23501</if_sid>
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
<group>vulnerability-detector</group>
<description>Ignore vulnerability</description>
</rule>
</group>
1) First, create a list to include the vulnerabilities you do not want to report.
Create this list from the Wazuh Web UI in Management > CDB lists
2) Add the vulnerabilities to that file following the format CVE:Description.
Add the CVE under the key box and the Description under the value box
3) Add the list to the ossec.conf file using the <list> option.
You can do this from the Wazuh Web UI too, Management > Configuration
4) Compile the CDB list. This is not necessary anymore
5) Create a rule that uses this list and ignore the vulnerability using level 0.
<group name="vulnerability-silence">
<rule id="103777" level="0">
<if_sid>23501</if_sid>
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
<group>vulnerability-detector</group>
<description>Ignore vulnerability</description>
</rule>
</group>
Harshal Paliwal
Aug 28, 2023, 4:38:58 AM8/28/23
to Wazuh | Mailing List
Hi ,
Hope you are doing well today and thank you for using wazuh.
You can ignore vulnerability alerts by adding custom rules. I suggest you a rule like this one:
/var/ossec/etc/rules/local_rules.xml:
<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">
<rule id="123500" level="0">
<if_sid>23503,23504,23505,23506</if_sid>
<field name="vulnerability.name">^CVE-2016-1585$</field>
<field name="vulnerability.package.name">^libapparmor1$</field>
<field name="vulnerability.package.condition">^Package unfixed$</field>
<description>Ignoring vulnerability CVE-2016-1585 for libappamor1</description>
</rule>
</group>
Rules 23503, 23504, 23505, 23506 match vulnerabilities with different severity levels (from Low to Critical). Defining a rule with level=0 means that it won't produce an alert. The <field> options find different conditions in the event (as they appear in the alert). Maybe you're interested in having one or two criteria only, but this is only an example. That's up to you.
Please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html to know more about custom rules.
Hope this will be helpful. Please feel free to contact us for any information/issues.
Regards,
Hope you are doing well today and thank you for using wazuh.
You can ignore vulnerability alerts by adding custom rules. I suggest you a rule like this one:
/var/ossec/etc/rules/local_rules.xml:
<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">
<rule id="123500" level="0">
<if_sid>23503,23504,23505,23506</if_sid>
<field name="vulnerability.name">^CVE-2016-1585$</field>
<field name="vulnerability.package.name">^libapparmor1$</field>
<field name="vulnerability.package.condition">^Package unfixed$</field>
<description>Ignoring vulnerability CVE-2016-1585 for libappamor1</description>
</rule>
</group>
Rules 23503, 23504, 23505, 23506 match vulnerabilities with different severity levels (from Low to Critical). Defining a rule with level=0 means that it won't produce an alert. The <field> options find different conditions in the event (as they appear in the alert). Maybe you're interested in having one or two criteria only, but this is only an example. That's up to you.
Please refer to https://documentation.wazuh.com/current/user-manual/ruleset/custom.html to know more about custom rules.
Hope this will be helpful. Please feel free to contact us for any information/issues.
Regards,
Message has been deleted
Prajapati Hitesh
Sep 13, 2023, 5:50:19 AM9/13/23
to Wazuh | Mailing List
Hi Harshal,
I want to exclude vulnerabilities from the database. It's showing up in the vulnerability option in Wazuh Manager.
Reply all
Reply to author
Forward
0 new messages