Ingnoring alerts from vulnerability scanner

396 views
Skip to first unread message

Raf Gillisjans

unread,
May 4, 2022, 5:36:03 AM5/4/22
to Wazuh mailing list
Hi all,

I'm using Wazuh for FIM and the security events but our Vulnerability scanner generates a lot of noise in the security events and the email alerts when it's scanning our agents. Is there a possibility to exclude any alerts that have a specific data.srcip or data.user?

Kr,
Raf

victor....@wazuh.com

unread,
May 4, 2022, 7:37:14 AM5/4/22
to Wazuh mailing list

Hello Raf,
There are multiple options to troubleshoot this issue:

  • Disable VD in desired agents.
    If you want to ignore vulnerability detector alerts from a set of agents, maybe the better approach would be to disable the Vulnerability Detector in those agents:

ossec.conf:

  <vulnerability-detector>
    <enabled>no</enabled>

Then restart the Wazuh agents. You can do this easily using centralized confguration


- Create a custom rule to ignore all VD alerts that fit specified requirements.
If you want to ignore using your ruleset certain rules on some agents, you can follow this approach. I suggest you a rule like this one

/var/ossec/etc/rules/local_rules.xml:

<group name="vulnerability-detector,gdpr_IV_35.7.d,pci_dss_11.2.1,pci_dss_11.2.3,tsc_CC7.1,tsc_CC7.2,">

<rule id="123500" level="0">
  <if_sid>23503,23504,23505,23506</if_sid>
  <srcip><agent-ip-to-ignore></srcip>
  <description>Ignoring vulnerability alerts for agent <name-agent></description>
</rule>
</group>

Rules 23503, 23504, 23505, and 23506 match vulnerabilities with different severity levels (from Low to Critical). Defining a rule with level=0 means that it won’t produce an alert

If you want to ignore other rules I suggest following this approach and adapting the rules according to your use case.

If you have any doubt do not hesitate to ask.

Raf Gillisjans

unread,
May 4, 2022, 8:14:52 AM5/4/22
to Wazuh mailing list
Hi Victor,

Thanks for your reply, I was actually talking about an external vuln scanner and not the one included in Wazuh. This indeed needed a rule based approach.
Thanks to your reply I came up with this rule:
<group name="web, accesslog, attack">

  <rule id="100001" level="3">
    <if_level>1</if_level>
    <srcip>scanner_ip1</srcip>
    <srcip>scanner_ip2</srcip>
    <description>Event triggered by vulnerability scanner</description>
  </rule>    

</group>
It seems to be working and catches every event triggered by those IPs. When running a test scan with our vuln scanner it seems to be doing exactly what I wanted

Kr,
Raf

Op woensdag 4 mei 2022 om 13:37:14 UTC+2 schreef victor....@wazuh.com:

Raf Gillisjans

unread,
May 4, 2022, 8:22:26 AM5/4/22
to Wazuh mailing list
One more thing, when changing
<group name="web, accesslog, attack">
Can you type whatever group you want in that name tag or do you need to create that group somewhere?
Op woensdag 4 mei 2022 om 14:14:52 UTC+2 schreef Raf Gillisjans:

Luis González Romero

unread,
May 5, 2022, 5:16:08 AM5/5/22
to Wazuh mailing list

Hello Raf! Hope you are doing great.


The answer is yes. You can include any group you want(with no need to create it somewhere else). It will be a new group that will appear in the alerts and can be used in labels such as if_group and if_matched_group.

If you need something else feel free to ask!


Hope this helps you,

Luis.

Reply all
Reply to author
Forward
0 new messages