Exclude / Whitelist Specific CVE Vulnerability Detection
755 views
Skip to first unread message
Agra Dwi Saputra
May 13, 2022, 3:10:02 AM5/13/22
to Wazuh mailing list
Hi,
I just installed a new Wazuh Cluster (4.2.5) on EKS and onboard some piloting devices.
I activate Wazuh Vulnerability detection feature and It's work to scan vulnerability in devices.
I just installed a new Wazuh Cluster (4.2.5) on EKS and onboard some piloting devices.
I activate Wazuh Vulnerability detection feature and It's work to scan vulnerability in devices.
The issue is distributions won’t higher the version number within a release and just fix the package but keep the version number.
Can we use the rules set to exclude this vulnerability?
I try this solution but no luck.
[Feature Request] configuration to ignore vulnerabilities · Issue #7463 · wazuh/wazuh · GitHub
Can I exclude Vulnerabilities found on Wazuh? (google.com)
Can I exclude Vulnerabilities found on Wazuh? (google.com)
Thanks
Best Regards,
Agra Ds
Agra Dwi Saputra
May 13, 2022, 10:19:46 PM5/13/22
to Miguel Keane, wa...@googlegroups.com
Hi Miguel,
I try to create on local rule like this then restart the manager, but the vulnerability is still shown in dashboard.
Is there I miss something?
Thank you.
Best regards,
Agra Ds
Pada tanggal Sab, 14 Mei 2022 pukul 08.05 Agra Dwi Saputra <6720...@student.uksw.edu> menulis:
Hi Miguel,
Thank you for the suggestion. I will try Your custom rule.
Before, I try to create CBD List (in both of Wazuh Manager Master & Wazuh Manager Worker) but can't find this script "/var/ossec/bin/ossec-makelists" or "/var/ossec/bin/wazuh-makelist" to compile the CDB list.I try to create CBD List like this.After creating CBD List, I try to add the cbd list in ruleset section config file "/var/ossec/etc/ossec.conf"<list>etc/lists/vuln-whitelist</list>
After that I try to create local rule and restart the Wazuh Manager Master & Worker.I also try this custom rule but still no luck.I will update again the result for your custom rule suggestion.Thank you
Best Regards,
Agra Ds
Pada tanggal Jum, 13 Mei 2022 pukul 23.30 Miguel Keane <miguel...@wazuh.com> menulis:
>
> Hello Agra,
>
> of course its possible. The solutions suggested on the links you sent should also work on current release, but you need to make sure to overwrite the correct rule.
>
> So, for example, to silence CVE alerts from 2019,2018,2017. This custom rule should work:
>
> <group name="vulnerability-detector,">
> <rule id="23501" level="0" overwrite="yes">
> <decoded_as>json</decoded_as>
> <options>no_full_log</options>
> <field name="vulnerability.cve" negate="yes">CVE-2019-\.*|CVE-2018-\.*|CVE-2017-\.*</field>
> <description>$(vulnerability.cve) affects $(vulnerability.package.name)</description>
> </rule>
> </group>
>
>
> You can be more specific. You also need to take into account the "Rule.id" that you are silencing. There are different IDs for Critical, High, Medium, or Low severity. So make sure to pick the correct one.
>
> You can also overwrite multiple IDs with multiple rules.
>
> Also, you can be more restrictive and silence particular CVEs with a CDB list.
>
> Let me know if you get it working with this!
>
> Best regards,
> Miguel Keane
Miguel Keane
May 16, 2022, 3:27:06 AM5/16/22
to Agra Dwi Saputra, Wazuh mailing list
Hello Agra,
if we look at the rule ID. The rule ID being silenced in your local rule is 23501.
And the rule ID in the dashboard is 23506.
As I mentioned in my first message, you need to make sure to add multiple rules, one for each rule ID that you are silencing.
Best regards,
Miguel Keane
IT Security Engineer — Wazuh, Inc.
IT Security Engineer — Wazuh, Inc.
Miguel Keane
May 17, 2022, 6:17:42 AM5/17/22
to Agra Dwi Saputra, Wazuh mailing list
Hello Agra,
to view further details on this. Please open the `Events` section and open the event. There you will be able to see all changed parameters in detail.
On the rule that you sent, you are trying to match with a `regex` for the field `vulnerability.severity` that I don't think will fully match, resulting in the alert not being overwritten.
Instead of overwriting. Let's try a different approach, making child rules that will silence particular alerts. For example:
<group name="vulnerability-detector,">
<rule id="100001" level="0">
<if_sid>23504</if_sid>
<options>no_full_log</options>
<field name="vulnerability.cve" negate="yes">CVE-2021-25635</field>
<rule id="100001" level="0">
<if_sid>23504</if_sid>
<options>no_full_log</options>
<field name="vulnerability.cve" negate="yes">CVE-2021-25635</field>
<description>$(vulnerability.cve) affects $(vulnerability.package.name)</description>
</rule>
</group>
Now, this new rule. Every time an alert with the rule ID 23504 comes up, this child rule will check the field `vulnerability.cve`. And if it matches `CVE-2021-25635`, the alert will not be generated (because we have set the level to 0).
Now, it is also important to understand that, to apply these changes you need to restart. And it will not affect data that you have already ingested, but new data. So make sure to force a new scan and check the results from after the changes to the ruleset were applied.
Let me know if this worked for you!
Best regards,
Miguel Keane
IT Security Engineer — Wazuh, Inc.
IT Security Engineer — Wazuh, Inc.
On Tue, May 17, 2022 at 2:58 AM Agra Dwi Saputra <6720...@student.uksw.edu> wrote:
Hi Miguel,I tried to create multiple rules but the vulnerability was still detected.Is it true that the level of the rule follows the original rule?And I added for the name field with vulnerability.cve like this
Thank you.
Best Regards,Agra Ds
Agra Dwi Saputra
May 18, 2022, 1:21:05 AM5/18/22
to Miguel Keane, Wazuh mailing list
Hi Miguel,
I modified the child rules like this and it's not showing the vulnerability in the dashboard & event.
But It's still shown in the Inventory, is this expected?
Thank you
Best Regards,
Best Regards,
Agra Ds
Reply all
Reply to author
Forward
0 new messages