Wazuh Vulnerability Scanner not listing Vulnerabilities despite scan completing
694 views
Skip to first unread message
Anthony Parsons
Nov 21, 2023, 6:14:33 AM11/21/23
to Wazuh | Mailing List
Hi,
Now I had this feature working before but due to a bit of a mess up with the OS (and not having a backup) I had to fresh install Wazuh (previously on 4.5 now on 4.6) and the host OS Ubuntu 22.04 LTS- luckily this was a testbed!
I reconfigured as much as I can remember but as can be seen below - the scan completes with no listed vulnerabilities - there should be numerous listed there as I've placed vulnerable software on the system (namely VMWare 15, Old revisions of Java, an old version of Firefox along with numerous missing patches) to confirm its active and working.
As previously mentioned the Manager is hosted on Ubuntu 22.04 LTS (within VMWare ESXi) and agent is on Windows Server 2019 (Bare Metal).
I've verified the manager can see the internet and can reach https://nvd.nist.gov/feeds/json/cve/nvdcve-1.1-2010.meta using curl and have verified the agents are indeed active using /var/ossec/bin/manage_agents -V and /agent_control -i 001
Not entirely sure what the issue is so hoping you can lend me a hand in diagnosing the issue!
I've also attached the configs for the Manager and Agents ossec, along with the ossec log in default logging state
As previously mentioned the Manager is hosted on Ubuntu 22.04 LTS (within VMWare ESXi) and agent is on Windows Server 2019 (Bare Metal).
I've verified the manager can see the internet and can reach https://nvd.nist.gov/feeds/json/cve/nvdcve-1.1-2010.meta using curl and have verified the agents are indeed active using /var/ossec/bin/manage_agents -V and /agent_control -i 001
Not entirely sure what the issue is so hoping you can lend me a hand in diagnosing the issue!
I've also attached the configs for the Manager and Agents ossec, along with the ossec log in default logging state
Send Help!
Anthony Parsons
Nov 21, 2023, 6:30:11 AM11/21/23
to Wazuh | Mailing List
You know what, I may have found out why its not working.
I was checking the providers list for where its pulling the vulnerabilities from and it looks like this:
Surely that should have the links for the databases... right?
Can you confirm if thats the case - if so.... where do I add these in and what links should I use?
Thanks!
Anthony
John Archbold
Nov 21, 2023, 7:37:21 AM11/21/23
to Wazuh | Mailing List
I'm having the same issue with Windows and 4.6, not tried 4.5; though I have that in prod. I'm using the same ubuntu..
sqlite3 /var/ossec/queue/vulnerabilities/cve.db 'select count(*) from nvd_cve'
Couple things to check that I found was to use SQLite and interrogate the vulnerability database to see if the feeds are working:
sqlite3 /var/ossec/queue/vulnerabilities/cve.db 'select count(*) from nvd_cve'
sqlite3 /var/ossec/queue/vulnerabilities/cve.db 'select count(*) from msu'
this I my thread: https://groups.google.com/g/wazuh/c/iIOeG_YAXj8
J
Marcel Kemp
Nov 21, 2023, 10:00:16 AM11/21/23
to Wazuh | Mailing List
Hi Anthony,
Based on the image you shared, it looks like Vulnerability Detector is working correctly, as it is running both partial scan and full scan.
What may be happening is the same as I mentioned in this thread:
It is normal for Windows agents not to show vulnerabilities for the two reasons I mention:
What may be happening is the same as I mentioned in this thread:
In case there is an error in Vulnerability Detector, it should appear in the manager logs (/var/ossec/logs/ossec.log). If there is no Error or Warning, then there should be no problem.
It is normal for Windows agents not to show vulnerabilities for the two reasons I mention:
- That the OS is up-to-date with the latest hotfixes, because the hotfixes for Windows that Microsoft applies are cumulative, so having the latest hotfix, would result in no vulnerabilities being shown in the system.
- You can verify this with the MSRC, which is the official source used to generate our MSU.
- The packages you have installed do not have a corresponding translation in the CPE Helper, which is the dictionary that Wazuh uses for some of the most common programs. Without such a translation, the package, not being standardized as on Linux, cannot get the corresponding CPE, so it cannot search and find the vulnerabilities in the NVD.
- More information about the CPE Helper and add translations in the following thread: https://groups.google.com/g/wazuh/c/HzKJuw8qDgA/m/-3Dr8Mm4AAAJ
Also, to verify, I would need you to share with me the complete output of the following queries:
> You can obtain this information using the API as follows (for example, from the WUI you can use the following tool to run the queries: Modules -> tools -> API console):
- Hotfixes: GET /syscollector/{agent_id}/hotfixes
- Packages: GET /syscollector/{agent_id}/packages
- Vulnerabilities: GET /vulnerability/{agent_id}
- OS: GET /syscollector/{agent_id}/os
If you have any questions, just ask.
Marcel Kemp
Nov 21, 2023, 10:03:06 AM11/21/23
to Wazuh | Mailing List
And as far as not showing the links for the Arch, NVD and MSU cases, this is expected, it does not mean it is a bug.
You can see the links on the next page of the documentation:
You can see the links on the next page of the documentation:
Reply all
Reply to author
Forward
0 new messages