Filtering Vulnerabilities with no fix

[Raphael Pepi]

Ive Setup the Server and Agents and configured the agents to perform vulnerability scans. which all seems to work, however iI' getting so many results with no fix. Id like to filter the vulnerabilities and only show ones that can be fixed. is this possible? how to do this? 

[elw...@wazuh.com]

Hello Raphael,

You can add a custom rule to silence all vulnerability alerts that have the state to no fix:

<group name="Silenced,">
       <rule id="100003" level="0">
       <if_group>vulnerability-detector</if_group>
       <field name="vulnerability.state">No Fixed</field>
       <description>Rule to silence no fixed vulnerabilities</description>
       </rule>
</group>

I hope this helps.

Regards,
Wali

[Raphael Pepi]

Thanks so much for this: Just 2 questions:

1. where does this snippet go? there are alot of config files, and i want this to filter for all hosts that have agents (all my hosts are in the default group)

2 I am trying to manage the configuration of ossec.conf with ansible's xml task

when i try and edit the file it returns the error:

Error while parsing document: /var/ossec/etc/ossec.conf (Extra content at the end of the document, line 360, column 1 (ossec.conf, line 360)) 

which is inaccurate because its actually failing because there are multiple roots <ossec_config></ossec_config>  which is what the xml parser is really choking on. I've read that wazuh supports multiple xml root statements, and this is fine for running it, but for managing the config with ansible this seems to be a deal breaker. 

As a hack i commented out the 1st instance of </ossec_conf> and the 2nd instance of  <ossec_conf> as this allowed it to see the file with as having a single root, but I'm wondering if theres any way to do this thats cleaner.

[elw...@wazuh.com]

Hello Raphael,

The custom rules can be added through the Wazuh UI as shown below:





The same applies to managing the configuration, you can perform that using the Wazuh UI and for the agent as well via the centralized groups https://wazuh.com/blog/agent-groups-and-centralized-configuration/#Using%20the%20Kibana%20app.

Hope this helps.

Regards,
Wali

[Raphael Pepi]

Hmm something is not quite clicking.  I added the Rule as you suggested, created a Silenced group, and added the test server to the Silenced group, then restarted manager. 

The vulnerabilities still show. i also noticed the verbiage for Condition was "Packaged  unfixed" (Wazuh 4.3)  so tried adding additional rules with permutations of that

Restarted again, But LO, the Vulnerabilities are still visible in the Vulnerabilities list.  What am i missing?  Also, is there any way to add the Condition Field to either the search filter or the field set?

I feel like im so close, but somehow miles away from a workable solution

[elw...@wazuh.com]

Hello,

The rule that would work for the new Wazuh version would be the following:

<group name="Silenced,">
       <rule id="100003" level="0">
       <if_group>vulnerability-detector</if_group>

       <field name="vulnerability.package.condition">Package unfixed</field>

       <description>Rule to silence no fixed vulnerabilities</description>
       </rule>
</group>

Note that previously reported vulnerabilities will be always shown because they have been reported before applying the silencing rule. You can find here how the new version of vulnerability module works https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html.

I hope it helps.

Regards,
Wali

[Raphael Pepi]

Again thanks for the help here. I've added the rule as suggested. 

regarding previously reported vulns. is there a way to clear out the data (start fresh)? 

Otherwise im not sure how i can test that the new rule is working without adding new agents to scan.

I read over the docs you suggested before even asking questions in this mailing list, and find the information there useful for initial setup, but missing information such as 

how to filter, reset data, etc etc. Practical use documentation would go a long way to reducing questions in this forum.  For example where would i have found the field name to filter against? 

I didn't see that in the docs or any sort of reference table that shows this. A section in vulnerability detection with this info, and an example of how to make the Silence group + query would be great additions to the docs.

[elw...@wazuh.com]

Hello Raphael,

To force a vulnerability scan for the agents without having to add new ones, The procedure would be the following:

• Stop the manager

• Access this directory /var/ossec/queue/db/ and remove the databases of the agents you want to force the scan in, they will be agent_id.db .

• Restart the manager

For the names of the fields, you should expand the alerts in the events section:

I hope this helps.

Regards,
Wali

[Bernardo Gui]

Hi all,

I am struggling with the same problem. I am getting closer. I understand that vuln. data comes from 2 different sources

1. From logs received from agent and stored in index
2. From agent inventory scan and stored in the SQLite DB 
   e.g. sqlite3 /var/ossec/queue/db/001.db 'select * from vuln_cves'
   

After I added the rule, I can clearly see that no logs (!) containing "package unfixed" show up anymore when accessing "events" tab -> so the rule for 1. works.

However, it seems the rule does not have any effect for the inventory data, in 2. This is collected by the agent and put in the database. One may see the divergence when examining vulnerability data in screen.

So, is my understanding correct? Can we somehow create a rule for inventory data as well?

---

/wazuh version: 

{"error":0,"data":[{"WAZUH_VERSION":"v4.3.9"},{"WAZUH_REVISION":"40322"},{"WAZUH_TYPE":"server"}]}

/rules

<group name="local,syslog,sshd,">

   <rule id="100221" level="0">

    <if_group>vulnerability-detector</if_group>
    <field name="vulnerability.package.condition">Package unfixed</field>

    <description>Silence unfixed vulnerabilities</description>
  </rule>

</group>

[elw...@wazuh.com]

Hello Bernardo,

The provided rule is to silence the vulnerability alerts and that does not apply to the system inventory as the information is being collected using syscollector (https://documentation.wazuh.com/current/user-manual/capabilities/syscollector.html#using-syscollector-information-to-trigger-alerts) and pulled using the API in the Wazuh Dashboard.

Regards,
Wali

[Bernardo Gui]

Hi Wali,

Thanks for confirming my observation. The link you provided, shows how to rise alerts from syscollector.

I am looking for an option to filter results which are collected from the syscollector. Perhaps it's worth to file in a feature request. E.g. in the syscollector configuration:

<!-- System inventory -->
<wodle name="syscollector">
  ...

  <packages>yes</packages>

  <packages_filter>unfixed</packages>

  ...

</wodle>

[elw...@wazuh.com]

Hello Bernardo,

I urge you to open a feature request for it in our repo https://github.com/wazuh/wazuh and we will study the case as soon as time/priorities allow.

Regards,
Wali

[Bernardo Gui]

Hi Wali,

Did so: https://github.com/wazuh/wazuh/issues/15308

Thanks for your replies so far.

B.