Want to Suppress Alert For Vulnerability Detection

[Shihab Hossain Shifat]

Just seeking help here. Having a bit of an issue with the vulnerability detection.For many vulnerabilities, the alerts recommend actions like updating the kernel, but the fixed kernel version has not been released yet. As a result, there is no practical solution to apply immediately. How should we manage these hundreds of alerts in the meantime? In some cases, I may not want to perform the update right away—what is the best approach in such situations?One Vulnerability details sample is shown below :{
  "_index": "wazuh-states-vulnerabilities-wazuh-manager",
  "_id": "002_fef40bab6efc45bb9997bccdfe3f6e7e79418e0c_CVE-2025-38081_2915231",
  "_score": 0,
  "_source": {
    "agent": {
      "id": "002",
      "name": "wazuh-agent-01",
      "type": "Wazuh",
      "version": "v4.14.0"
    },
    "host": {
      "os": {
        "full": "Debian GNU/Linux 12 (bookworm)",
        "kernel": "6.1.0-41-amd64",
        "name": "Debian GNU/Linux",
        "platform": "debian",
        "type": "debian",
        "version": "12"
      }
    },
    "package": {
      "architecture": "amd64",
      "description": "Linux for 64-bit PCs (meta-package)",
      "name": "linux-image-amd64",
      "size": 13312,
      "type": "deb",
      "version": "6.1.158-1"
    },
    "vulnerability": {
      "category": "Packages",
      "classification": "CVSS",
      "description": "In the Linux kernel, the following vulnerability has been resolved:  spi-rockchip: Fix register out of bounds access  Do not write native chip select stuff for GPIO chip selects. GPIOs can be numbered much higher than native CS. Also, it makes no sense.",
      "detected_at": "2025-11-18T17:32:41.732Z",
      "enumeration": "CVE",
      "id": "CVE-2025-38081",
      "published_at": "2025-06-18T10:15:41Z",
      "reference": "https://security-tracker.debian.org/tracker/CVE-2025-38081",
      "scanner": {
        "condition": "Package default status",
        "reference": "https://cti.wazuh.com/vulnerabilities/cves/CVE-2025-38081",
        "source": "Debian Security Tracker",
        "vendor": "Wazuh"
      },
      "score": {
        "base": 7.1,
        "version": "3.1"
      },
      "severity": "High",
      "under_evaluation": false
    },
    "wazuh": {
      "cluster": {
        "name": "wazuh-manager"
      },
      "schema": {
        "version": "1.0.0"
      }
    }
  },
  "fields": {
    "vulnerability.detected_at": [
      "2025-11-18T17:32:41.732Z"
    ],
    "vulnerability.published_at": [
      "2025-06-18T10:15:41.000Z"
    ]
  }
}

[antonio...@wazuh.com]

Hi,

Thank you for sharing the vulnerability details.

At the moment, Wazuh does not provide an option to hide specific vulnerabilities directly from the dashboard.

We can use the vulnerable package version and the vulnerability CVE ID, and we will evaluate whether this is a false positive or not. Next, if we find a false positive or false negative, we will sanitize our feed, and the vulnerability will be fixed on your end as well.

If it is not a false positive, but you still want to remove it from the detection, that is not possible at this moment, to ensure the integrity of the scan results.

But we have in our roadmap to have an option to exclude some vulnerabilities from the dashboard. You can find updates on this topic in this GitHub link.

At this moment, you can suppress detection alerts and remove the old detection alerts from the event section of the vulnerability dashboard, but they will still be available in the inventory section and the dashboard section of the vulnerability dashboard.

Let me know if you need help with that.

[antonio...@wazuh.com]

Hi,

Let me investigate this, and I will get back to you as soon as possible

El miércoles, 19 de noviembre de 2025 a las 13:56:37 UTC+1, Shihab Hossain Shifat escribió:

[antonio...@wazuh.com]

To suppress the events that generate these vulnerabilities, it would only be necessary to add a new custom rule, to which we specify the list of CVEs in the option <field>"vulnerability.cve", and so every time it finds a vulnerability of that type, as the rule is at level 0, then the alert will be ignored.

In the WUI, navigate to Management -> Rules, and then set a filter to Custom rules. Select the file local_rules.xml. Then, add the following rule:

 <group name="cve-ignore,">
   <rule id="100002" level="0">
      <if_group>vulnerability-detector</if_group>
      <field name="vulnerability.cve">CVE-0000-0000, CVE-0000-0001, CVE...</field>
      <description>Ignoring alert $(vulnerability.cve). Vulnerability was published $(vulnerability.published). Reference $(vulnerability.reference)</description>
      <location>agent_name</location>
    <options>no_full_log</options>
  </rule>
</group>

Note that for the <location> you will add the name of the agent which you want to ignore those CVEs. If you need to ignore the CVEs for all the agents, please remove the <location> tag.

More details about the rules syntax: https://documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html#options

In addition, if you want, you can instead of configuring the CVEs directly in the rule, you can configure a list with those CVES by creating it as below: https://documentation.wazuh.com/current/user-manual/ruleset/cdb-list.html

 

El miércoles, 19 de noviembre de 2025 a las 13:56:37 UTC+1, Shihab Hossain Shifat escribió:

[Shihab Hossain Shifat]

Hi Antonio,

I tried the process you suggested, but these vulnerabilities are still showing on the dashboard. I also restarted both the manager and the Wazuh agent to trigger a new syscheck, but the results remain the same.

I have a few questions regarding vulnerability detection:

1. How is the vulnerability detection database updated?

2. Is there a way to know when a new version of the vulnerability detection database is available?

3. Can we check when the database was last updated?

Best regards,
Shifat

[antonio...@wazuh.com]

Hi Shihab,

The vulnerability inventory is updated using the information available on the Wazuh Cyber Threat Intelligence (CTI) platform, which is updated daily.

The vulnerability-detector module runs by default every 60 minutes. You can see this in the file /var/ossec/conf/ossec.conf

<vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>60m</feed-update-interval>
</vulnerability-detection>

It’s important to clarify that the module does not run a full scan every 60 minutes; instead, it attempts to update the vulnerability feed at that interval. The vulnerability-detector actually executes when it receives inventory changes from Syscollector, as documented in the official Wazuh documentation.

The database is updated as soon as a new vulnerability is found while the module is running. However, there are a couple of configuration settings you can adjust to change this.

You can also see when the module was last executed by checking the file /var/ossec/logs/ossec.log.

Based on the alerts, if you have configured the rules as I explained, you should no longer see the VD events that you have silenced. This depends on which events you have muted. However, the vulnerability inventory will continue to show all active vulnerabilities, and currently there is no way to suppress vulnerabilities from the inventory. This will be implemented in the issue I shared with you earlier.