Can I exclude Vulnerabilities found on Wazuh 4.4
894 views
Skip to first unread message
Prajapati Hitesh
Aug 2, 2023, 12:49:08 PM8/2/23
to Wazuh mailing list
Hi,
Can I exclude Vulnerabilities found on Wazuh 4.4.
I have configured settings as per the link https://groups.google.com/g/wazuh/c/3g_TSKNU6kc
But I'm not able to compile CDB list. Error message : No such file or directory.
Carlos Dams
Aug 2, 2023, 3:22:45 PM8/2/23
to Wazuh mailing list
Hi Prajapati,
Thanks for using Wazuh!
1) First, create a list to include the vulnerabilities you do not want to report.
Create this list from the Wazuh Web UI in Management > CDB lists
2) Add the vulnerabilities to that file following the format CVE:Description.
Add the CVE under the key box and the Description under the value box
3) Add the list to the ossec.conf file using the <list> option.
You can do this from the Wazuh Web UI too, Management > Configuration
4) Compile the CDB list. This is not necessary anymore
5) Create a rule that uses this list and ignore the vulnerability using level 0.
<group name="vulnerability-silence">
<rule id="103777" level="0">
<if_sid>23501</if_sid>
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
<group>vulnerability-detector</group>
<description>Ignore vulnerability</description>
</rule>
</group>
This will silence the alert in Wazuh that you can find in Security Events or the Events tab of vulnerability detection, however, this vulnerability will still be available from the Inventory tab of Vulnerability Detection module, in this case you would have to manipulate the file /var/ossec/queue/db/<agent-ID>.db.
More information about the Vulnerability detection module can be found here: Vulnerability detection
I hope you find this information useful
Prajapati Hitesh
Aug 5, 2023, 6:11:19 AM8/5/23
to Wazuh mailing list
Thanks Carlos, I'll check this.
Prajapati Hitesh
Aug 7, 2023, 10:29:57 AM8/7/23
to Wazuh mailing list
Can you guide how to manipulate CVE.
Carlos Dams
Aug 8, 2023, 2:48:42 PM8/8/23
to Wazuh mailing list
Hi Prajapati,
Yes, you could delete an entry for a particular Agent from the database but it will appear again after a partial VD scan is run in the Agent
If you want to do this you could do the following:
1. Get the title of the vulnerability from the Wazuh Dashboard
2. Go to the endpoint where you want to remove that vulnerability
3. Start the SQLite3 command prompt to that particular agent, for example: sqlite3 /var/ossec/queue/db/001.db
4. Execute the command to remove the row, example: DELETE FROM vuln_cves WHERE title = "CVE-2019-18276 affects bash";
Alternatively you can use other columns and conditions to make sure you do not erase more than one vulnerability found.
2. Go to the endpoint where you want to remove that vulnerability
3. Start the SQLite3 command prompt to that particular agent, for example: sqlite3 /var/ossec/queue/db/001.db
4. Execute the command to remove the row, example: DELETE FROM vuln_cves WHERE title = "CVE-2019-18276 affects bash";
Alternatively you can use other columns and conditions to make sure you do not erase more than one vulnerability found.
Screenshot below:
For a more permanent solution that works across other agents you would have to manipulate many tables from the database /var/ossec/queue/vulnerabilities/cve.db
I hope you find this information useful.
Prajapati Hitesh
Aug 9, 2023, 12:16:51 PM8/9/23
to Wazuh mailing list
Hi Carlos,
The vulnerability detection module has changed a lot since that post, still you can apply some steps from there. I recommend you the following:
1) First, create a list to include the vulnerabilities you do not want to report.
Create this list from the Wazuh Web UI in Management > CDB lists
2) Add the vulnerabilities to that file following the format CVE:Description.
Add the CVE under the key box and the Description under the value box
3) Add the list to the ossec.conf file using the <list> option.
You can do this from the Wazuh Web UI too, Management > Configuration
4) Compile the CDB list. This is not necessary anymore
5) Create a rule that uses this list and ignore the vulnerability using level 0.
<group name="vulnerability-silence">
<rule id="103777" level="0">
<if_sid>23501</if_sid>
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
<group>vulnerability-detector</group>
<description>Ignore vulnerability</description>
</rule>
</group>
I've tried below steps but vulnerability not exclude from agents. And your above option is not resolve my issue permanently. Please guide more steps to resolve this issue.
The vulnerability detection module has changed a lot since that post, still you can apply some steps from there. I recommend you the following:
1) First, create a list to include the vulnerabilities you do not want to report.
Create this list from the Wazuh Web UI in Management > CDB lists
2) Add the vulnerabilities to that file following the format CVE:Description.
Add the CVE under the key box and the Description under the value box
3) Add the list to the ossec.conf file using the <list> option.
You can do this from the Wazuh Web UI too, Management > Configuration
4) Compile the CDB list. This is not necessary anymore
5) Create a rule that uses this list and ignore the vulnerability using level 0.
<group name="vulnerability-silence">
<rule id="103777" level="0">
<if_sid>23501</if_sid>
<list field="vulnerability.cve" lookup="match_key">etc/lists/vuln-black-list</list>
<group>vulnerability-detector</group>
<description>Ignore vulnerability</description>
</rule>
</group>
Carlos Dams
Aug 11, 2023, 10:41:34 AM8/11/23
to Wazuh mailing list
Hi Prajapati,
For the proposed workaround, there are many tables in the /var/ossec/queue/vulnerabilities/cve.db file you would have to manipulate, another workaround would be that you create your own cve.db using offline updates, with this option you can edit the files you from the vendors to remove vulnerabilities you are not interested in, the high level steps would be:
- Download the files from different vendors
- Edit these files using any text editor, removing or commenting out the entries for vulnerabilities you do not want Wazuh to bring to the Wazuh Web UI
- Configure Wazuh to use the offline updates instead of automatically using the online repositories
I hope with this workaround helps you accomplish your goal.
Bear in mind that the Wazuh team is working on refactoring the Vulnerability Detector module to have the feature you are requesting by default.
It was mentioned on this GitHub issue: Feature Request: Vulnerability Filter
You can track the work of the team here: Vulnerability Detector refactor
Thanks,
Reply all
Reply to author
Forward
0 new messages