Vulnerability Detection - Path to Updates by URL

[DG]

Hello Team,

Getting this error  "wazuh-modulesd:vulnerability-detector WARNING (5500): The 'Debian Bullseye' database could not be fetched"

Wazuh is behind a proxy and in a docker container. Is there a particular script that is pulling down these CVEs? If anyone has the direct path to the script with the url paths, that would be great.

Thanks!

[Leandro David Sayanes]

Hi DG! 

I will try to help you. 

You can follow this document to configure Vulnerability Detector behind a proxy. In your case for Bullseye, here is the URL of the feed.
As you can see the feeds are hyperlinked to table files, so you can get the feed link from there

There is no particular script to download that.
You can use commands like wget or curl, in a bash script with which you could download from the feed like:

curl -o https://www.debian.org/security/oval/oval-definitions-bullseye.xml;                       

Here is an example of a similar case:  

downloaded correctly:

curl -o nvdcve-1.1-2020.json.gz https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-2020.json.gz

If not, for vulnerability detector to work properly without access to online feeds, there are two alternatives (via offline update):

• Use the <os url> field to connect to a local network that has the necessary feeds to download them.

<provider name="nvd"> <enabled>yes</enabled> <url start="2010" end="2022">http://local_repo/nvd-feed[-].json.gz</url> <update_interval>1h</update_interval> </provider> <provider name="msu"> <enabled>yes</enabled> <url>http://local_repo/msu-updates.json.gz</url> <update_interval>1h</update_interval> </provider>

• Use the <os path> field to establish a local path on the computer where they contain the necessary feeds.

<provider name="nvd"> <enabled>yes</enabled> <path>/local_path/nvd-feed.*json$</path> <update_interval>1h</update_interval> </provider> <provider name="msu"> <enabled>yes</enabled> <path>/local_path/msu-updates.json.gz</path> <update_interval>1h</update_interval> </provider>

I hope this help you!

[Leandro David Sayanes]

Hello Red Team!

Unfortunately this is related to this issue.
You can try step 2 (4 & 6) where you set the environment variable in the wazuh-manager.service indicating the proxy.

You can also take a look at this comment 

Sorry, we're working on it!

On Wed, Mar 29, 2023 at 9:26 AM Red Team <rtea...@gmail.com> wrote:

Thanks Leandro.

I'm actually looking for the specific program in wazuh manager config to point the proxy to. I am using docker and in order for some of the python programs to work, I had to set the proxy in certain python scripts since the env variable is not being picked up by wazuh. Can you point me to the location of the script so I can review the code of the program?

Example: In order for azure O365 alerts to be pulled from Azure, the integration python script needed to be pointed to a proxy.  The Linux global environment variable was not being picked up by the individual python scripts.

# Set Proxies as a global variable
proxies = {'https': 'http://x.x.x.x', 'http': 'http://x.x.x.x'}

--
You received this message because you are subscribed to a topic in the Google Groups "Wazuh mailing list" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/wazuh/VyGqVvC-0-M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to wazuh+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/wazuh/ec154736-6f2a-4aa6-8764-1e28e6b70df9n%40googlegroups.com.

[Red Team]

Thanks Leandro.

I'm actually looking for the specific program in wazuh manager config to point the proxy to. I am using docker and in order for some of the python programs to work, I had to set the proxy in certain python scripts since the env variable is not being picked up by wazuh. Can you point me to the location of the script so I can review the code of the program?

Example: In order for azure O365 alerts to be pulled from Azure, the integration python script needed to be pointed to a proxy.  The Linux global environment variable was not being picked up by the individual python scripts.

# Set Proxies as a global variable
proxies = {'https': 'http://x.x.x.x', 'http': 'http://x.x.x.x'}

On Tue, Mar 28, 2023 at 1:06 PM 'Leandro David Sayanes' via Wazuh mailing list <wa...@googlegroups.com> wrote:

--