wazuh 4.8 add custom rules to vulnerability detection
52 views
Skip to first unread message
Commercial League
Jun 29, 2024, 11:11:46 AM (4 days ago) Jun 29
to Wazuh | Mailing List
Hi,
In the previous versions of wazuh it was possible to add mapping between installed product and the cve.db as described in my previous conversation: https://groups.google.com/g/wazuh/c/ur4Qe7gU-v0/m/kh8KNnvdAAAJ
Do we have similar functionality in version 4.8 with the new detection engine?
Kind regards,
Nikolay
Francisco Tuduri
Jul 1, 2024, 8:22:08 AM (2 days ago) Jul 1
to Wazuh | Mailing List
Hi Nikolay,
As you may know, the vulnerability detection module was completely refactored in version 4.8. One of the main changes is that the manager now accesses a centralized feed of vulnerabilities and supporting data maintained by Wazuh. This includes the information required to correctly map installed packages to the data reported in the CVEs.
This information is dynamic; the manager periodically checks for updates, downloads the new data, and applies it locally.
If you believe there are packages not being correctly detected, please report them here so we can analyze it and update the centralized feed accordingly. If possible, include the package information as reported by Syscollector and mention the CVE ID that should have been matched, if any.
Thanks!
As you may know, the vulnerability detection module was completely refactored in version 4.8. One of the main changes is that the manager now accesses a centralized feed of vulnerabilities and supporting data maintained by Wazuh. This includes the information required to correctly map installed packages to the data reported in the CVEs.
This information is dynamic; the manager periodically checks for updates, downloads the new data, and applies it locally.
If you believe there are packages not being correctly detected, please report them here so we can analyze it and update the centralized feed accordingly. If possible, include the package information as reported by Syscollector and mention the CVE ID that should have been matched, if any.
Thanks!
Commercial League
7:21 AM (5 hours ago) 7:21 AM
to Wazuh | Mailing List
Hi Francisco,
We have a lot installations of LibreOffice (1000+) so I installed really old version 4.2.0.1 to check if it will trigger an event. Nothing happened. The problem probably is that the new database is missing a relation between the product name and the classification in NVD because on wazuh 4.7.2 I manually mapped it in the cpe_helper.json and it worked.
Here is the syscollector result:
{
"data": {
"affected_items": [
{
"scan": {
"id": 0,
"time": "2024-03-20T13:09:38+00:00"
},
"section": " ",
"version": "4.2.0.1",
"format": "win",
"source": " ",
"priority": " ",
"architecture": "i686",
"description": " ",
"location": "C:\\Program Files (x86)\\LibreOffice 4\\",
"vendor": "The Document Foundation",
"name": "LibreOffice 4.2.0.1",
"size": 0,
"install_time": "2024-03-20T12:58:22+00:00",
"agent_id": "1165"
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
"data": {
"affected_items": [
{
"scan": {
"id": 0,
"time": "2024-03-20T13:09:38+00:00"
},
"section": " ",
"version": "4.2.0.1",
"format": "win",
"source": " ",
"priority": " ",
"architecture": "i686",
"description": " ",
"location": "C:\\Program Files (x86)\\LibreOffice 4\\",
"vendor": "The Document Foundation",
"name": "LibreOffice 4.2.0.1",
"size": 0,
"install_time": "2024-03-20T12:58:22+00:00",
"agent_id": "1165"
}
],
"total_affected_items": 1,
"total_failed_items": 0,
"failed_items": []
},
"message": "All specified syscollector information was returned",
"error": 0
}
This version has multiple vulnerabilities (at least 30) according to
I chose one random vulnerability which is listed in NVD:
If you have some structured way for reporting it or maybe a github I would submit it there also.
Kind regards,
Nikolay
Reply all
Reply to author
Forward
0 new messages