Vulnerability Detector
232 views
Skip to first unread message
John Carry
Jan 20, 2023, 11:51:36 AM1/20/23
to Wazuh mailing list
Hello Wazuh Team,
Currently we are in the phase of assessing vulnerabilities in our environment via Wazuh Vulnerability Detector, recently we have received response from one of custodian that they have fixed multiple vulnerabilities but when we again ran the scan and compare the results with the earlier report the patched vulnerabilities were still observed as unpatched.
While investigating we found that a particular vulnerability CVE 2022-3016 is present at the vulnerability dashboard but not visible on the events tab inside vulnerability detector section as Active.
Just want to know what is meant by these either the CVE 2022-3016 is fixed or is there some bug, basically there is conflict with our server admin that they had already make that software to latest version.
You are requested to answer below concerns in-order:
1) Is there a way can we filter the vulnerabilities with their status on Vulnerability Dashboard ? like filtering on those that are Active so that the count is reduced to a good state?
2) Is there a we can run on-demand full scan?
3) The final status either Active or Solved of any vulnerability is actually verified from the recent time-stamp?
4) The vulnerability-detector dashboard shows over-all vulnerabilities regardless of their status either Active or Solved or it includes only Active?
Regards,
John
John Carry
Jan 22, 2023, 9:06:04 PM1/22/23
to Wazuh mailing list
Anyone there who will respond to the query ?
Federico Rodriguez
Jan 23, 2023, 11:37:14 AM1/23/23
to Wazuh mailing list
Hi John, hope you are doing well.
For more information check the Vulnerabilities module documentation: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#how-it-works
Vulnerability Detector now manages a vulnerability inventory and produces alerts during the first agents scan and when a new vulnerability is either found or solved. The packages and the operating system already scanned will not be re-scanned. Only new installed packages will be considered for scanning, and alerts will be generated if they have vulnerabilities. There is only one case in which the packages and the operating system will be re-scanned: when the database of vulnerabilities receives new CVEs information and min_full_scan_interval expires.
Once the Vulnerability Detector module has created the global vulnerability database containing the CVEs, the detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent. A package is labeled as vulnerable when its version matches those within the affected range of a CVE. Alerts show the results, and the module stores the findings in a per-agent vulnerability inventory. This inventory contains the current state of every agent and includes vulnerabilities that have been detected and not resolved. Users can query the inventory to check for alerts and vulnerability information.
If you wish to, you can also use the API to query the vulnerabilites based on the agent ID. You can access the API console by going to Wazuh -> Tools -> API Console.
Here you can find the reference documentation for this:API Reference: Vulnerabilities
Regards
For more information check the Vulnerabilities module documentation: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html#how-it-works
Vulnerability Detector now manages a vulnerability inventory and produces alerts during the first agents scan and when a new vulnerability is either found or solved. The packages and the operating system already scanned will not be re-scanned. Only new installed packages will be considered for scanning, and alerts will be generated if they have vulnerabilities. There is only one case in which the packages and the operating system will be re-scanned: when the database of vulnerabilities receives new CVEs information and min_full_scan_interval expires.
Once the Vulnerability Detector module has created the global vulnerability database containing the CVEs, the detection process looks for vulnerable packages in the inventory databases. These inventories are unique to each agent. A package is labeled as vulnerable when its version matches those within the affected range of a CVE. Alerts show the results, and the module stores the findings in a per-agent vulnerability inventory. This inventory contains the current state of every agent and includes vulnerabilities that have been detected and not resolved. Users can query the inventory to check for alerts and vulnerability information.
At the time of Wazuh 4.3.10 the On Demand Scan feature does not exist, but the good news is it will be included in the Wazuh 4.4 release:
If you wish to, you can also use the API to query the vulnerabilites based on the agent ID. You can access the API console by going to Wazuh -> Tools -> API Console.
Here you can find the reference documentation for this:API Reference: Vulnerabilities
Regards
John Carry
Jan 24, 2023, 1:24:10 AM1/24/23
to Wazuh mailing list
Hello,
I think you have confused my query, I have asked few concerns rather the explanation of vulnerability detector itself, my concern are mentioned below again:
1) The default Inventory Dashboard shows Vulnerabilities count mapped as critical; high, medium and low, my concern is are these total vulnerabilities count shows only the 'Active vulnerabilities COUNT' or they the count includes both Active and Solved?
2) The Events Tab shows Vulnerabilities with their status as either Solved or Active, the concern or confusion is that the vulnerabilities status as Solved are actually fixed or not ? Is there any mechanism we can apply status based filter on Inventory Tab so that the Dashboard only shows Active Vulnerabilities and its Count.
Reply all
Reply to author
Forward
0 new messages