Vuls Not Working
269 views
Skip to first unread message
krunal kalaria
Mar 9, 2018, 12:39:03 AM3/9/18
to Wazuh mailing list
Hello Everyone,
I have wazuh 3.2 and RHEL 7 and i am trying to install Vuls its installation are done but i don't know what changes i need to do in config.toml file following is my config.toml
in config.toml i need to give the ip address of my machine replace with "localhost" ? what i need to change in this file ?
[servers]
[servers.localhost]
host = "localhost"
port = "local"
i was used this command : /var/ossec/wodles/vuls/deploy_vuls.sh redhat 7 to install Vuls
and i was made this changes in ossec.conf:
<wodle name="command"> <tag>Wazuh-VULS</tag> <command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py</command> <interval>1h</interval> <ignore_output>yes</ignore_output> <run_on_start>yes</run_on_start> </wodle>
Kindly correct me if i am wrong in above configs
Thanks & Regard,
Krunal.
Cristóbal López
Mar 9, 2018, 6:05:31 AM3/9/18
to Wazuh mailing list
Hi Krunal,
You do not need to modify any configuration files other than ossec.conf. Just launch the deployment script as you have done in every agent or manager you want to extract vulnerabilities.
The configuration block must be placed in the ossec.conf of each host to be monitored, or sent remotely through agent.conf. However, the configuration you have written is the default one. To learn how to configure scanning and maintenance you can see this section of the documentation.
For example, to generate alerts with vulnerabilities above level 5 for RedHat 7 you can use the following configuration block:
You do not need to modify any configuration files other than ossec.conf. Just launch the deployment script as you have done in every agent or manager you want to extract vulnerabilities.
The configuration block must be placed in the ossec.conf of each host to be monitored, or sent remotely through agent.conf. However, the configuration you have written is the default one. To learn how to configure scanning and maintenance you can see this section of the documentation.
For example, to generate alerts with vulnerabilities above level 5 for RedHat 7 you can use the following configuration block:
<wodle name="command">
<tag>Wazuh-VULS</tag>
<command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py --mincvss 5 --updaterh --os-version 7</command>
<interval>1d</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
</wodle>
Do you have any problems after setting this configuration?
Best regards,
Cristobal Lopez.
krunal kalaria
Mar 9, 2018, 7:05:57 AM3/9/18
to Wazuh mailing list
Hi Cristobal Lopez,
Thanks for you answer.
i have tried this in ossec.conf but now i have one question how i can find the vulnerabilities ? its any procedure is their or any configuration or any file needs to be run ?
When i was run this command /var/ossec/wodles/vuls/deploy_vuls.sh redhat 7 for vuls integration
then i was found in this directory /var/ossec/wodles/vuls/config.toml so waht is that file config.toml ?
I was changed in this config.toml then its given me one error ERROR [localhost] Failed to init servers: No scannable servers
if i put localhost at all then its run fine but when i change that file its give error.
And one more thing vulnerabilities will scan automatically or we have to run any command manually?
i can not find any visualization in vulnerabilities tab in wazuh
Thanks & Regards,
Krunal.
krunal kalaria
Mar 9, 2018, 7:14:13 AM3/9/18
to Wazuh mailing list
Cristóbal López
Mar 12, 2018, 7:11:59 AM3/12/18
to Wazuh mailing list
Hi Krunal,
To enable integration with Vuls you have to run the deployment script on each agent you want to scan for vulnerabilities. config.toml is a small internal configuration file that you don't have to modify. You just have to configure the ossec.conf of each agent, or agent.conf to do it remotely.
Vulnerability scans will run periodically according to the period you specify in the interval field. If you set run_on_start to yes, a scan will be launched each time Wazuh restarts. You can also start a scan manually by executing the command within the command option.
The vulnerabilities tab is to visualize the alerts extracted with Wazuh's own vulnerability scanner: vulnerability-detector. Vuls is an external scanner that Wazuh has integrated, so to search for detected alerts with this software you have to write the following in the Kibana discover:
We decided to create vulnerability-detector wodle to not to have to deploy external software on agents, which are usually servers in isolated environments, and simplify the detection process. For more information, you can read this page.
Best regards,
Cristobal Lopez.
To enable integration with Vuls you have to run the deployment script on each agent you want to scan for vulnerabilities. config.toml is a small internal configuration file that you don't have to modify. You just have to configure the ossec.conf of each agent, or agent.conf to do it remotely.
Vulnerability scans will run periodically according to the period you specify in the interval field. If you set run_on_start to yes, a scan will be launched each time Wazuh restarts. You can also start a scan manually by executing the command within the command option.
The vulnerabilities tab is to visualize the alerts extracted with Wazuh's own vulnerability scanner: vulnerability-detector. Vuls is an external scanner that Wazuh has integrated, so to search for detected alerts with this software you have to write the following in the Kibana discover:
rule.groups:vulsWe decided to create vulnerability-detector wodle to not to have to deploy external software on agents, which are usually servers in isolated environments, and simplify the detection process. For more information, you can read this page.
Best regards,
Cristobal Lopez.
krunal kalaria
Mar 13, 2018, 12:30:10 AM3/13/18
to Wazuh mailing list
Thnks for reaching out Cristobal,
Basically this is my ossec.conf and
i have written vuls config can you check is this right config for automatically check and give the alert when vulnerability is come in my server ?
<wodle name="command">
<tag>Wazuh-VULS</tag>
<command>/usr/bin/python /var/ossec/wodles/vuls/vuls.py --mincvss 5 --updaterh --os-version 7</command>
<interval>60s</interval>
<ignore_output>yes</ignore_output>
<run_on_start>yes</run_on_start>
</wodle>
Cristóbal López
Mar 13, 2018, 7:43:21 AM3/13/18
to Wazuh mailing list
Hi Krunal,
That configuration is correct for setting servers with RedHat 7. Remember that you have to put that configuration block in each agent or manager you want to monitor, and not in a single host.
However, 60 seconds is a too high frequency. I recommend you to set the interval to once or twice a day.
Best regards,
Cristobal Lopez.
That configuration is correct for setting servers with RedHat 7. Remember that you have to put that configuration block in each agent or manager you want to monitor, and not in a single host.
However, 60 seconds is a too high frequency. I recommend you to set the interval to once or twice a day.
Best regards,
Cristobal Lopez.
krunal kalaria
Mar 13, 2018, 11:15:25 AM3/13/18
to Wazuh mailing list
Ok Cristobal,
Thanks for your help i will do it as you mention if anything is their i will post.
Thanks a lot.
Reply all
Reply to author
Forward
0 new messages