disable CVE events in security events
112 views
Skip to first unread message
Mefisto Evil
Apr 18, 2023, 5:49:18 AM4/18/23
to Wazuh mailing list
is there a way to disable all CVE events in security events list ? i have a lot of them
and i want to see them if i go to particula agent->vulnerabities in dashboard
buit not in list of all events
buit not in list of all events
examples of events:
CVE-2023-24861 affects Windows Server 20xx
CVE-2023-24908 affects Windows Server 20xx
Manuel Jose Cano Rojo
Apr 18, 2023, 6:28:12 AM4/18/23
to Wazuh mailing list
Hi Mefisto,
It is possible, let me lead you in the process. To suppress an alert, you can create a custom rule with level = 0, which means the alert will be ignored when a specific rule or group of rules is triggered. This kind of rule is usually stored in /var/ossec/etc/local_rules.xml. You can also use the WUI where you can navigate to Management -> Rules and there you can set a filter to Custom rules, and select the file local_rules.xml. An example of this rule could look as follows:
Note the <field> tag, must contain the CVE you are aiming to silence. The location tag is set in order to provide a specific agent to silence, if you want to apply this alert to every agent, you can just not add the <location> tag.
Let me know if you need any further help.
Regards,
Manuel.
It is possible, let me lead you in the process. To suppress an alert, you can create a custom rule with level = 0, which means the alert will be ignored when a specific rule or group of rules is triggered. This kind of rule is usually stored in /var/ossec/etc/local_rules.xml. You can also use the WUI where you can navigate to Management -> Rules and there you can set a filter to Custom rules, and select the file local_rules.xml. An example of this rule could look as follows:
Note the <field> tag, must contain the CVE you are aiming to silence. The location tag is set in order to provide a specific agent to silence, if you want to apply this alert to every agent, you can just not add the <location> tag.
Let me know if you need any further help.
Regards,
Manuel.
Mefisto Evil
Apr 18, 2023, 7:01:05 AM4/18/23
to Wazuh mailing list
Hi manuel thank you for anwer
so i should type every CVE in <field> tag? i have a lot of them.. there is no way to do this without typing all CVE one by one?
so i should type every CVE in <field> tag? i have a lot of them.. there is no way to do this without typing all CVE one by one?
вторник, 18 апреля 2023 г. в 15:28:12 UTC+5, Manuel Jose Cano Rojo:
Manuel Jose Cano Rojo
Apr 19, 2023, 12:39:49 PM4/19/23
to Wazuh mailing list
Hi Mefisto,
You have to do it this way, there is no other way to perform this operation at the moment.
Regards,
Manuel.
You have to do it this way, there is no other way to perform this operation at the moment.
Regards,
Manuel.
Kamil Tańcula
Nov 7, 2024, 11:53:51 PM11/7/24
to Wazuh | Mailing List
Hi,
I have some problem to trace the problem of disabling CVE .
Example.
I want to disable CVE number CVE-2023-37920 for agent linux-wazuh-20.
Example.
I want to disable CVE number CVE-2023-37920 for agent linux-wazuh-20.
I created such an entry in local_rules.xml.
<group name="cve-ignore,">
<rule id="190001" level="0">
<if_group>vulnerability-detector</if_group>
<field name="vulnerability.cve">CVE-2023-37920</field>
<description>Ignoring alert $(vulnerability.cve). Vulnerability was published $(vulnerability.published). Reference $(vulnerability.reference)</description>
<location>linux-wazuh-20</location>
<options>no_full_log</options>
</rule>
</group>
Restart wazuh-manager and wazuh-agent and the entry for this CVE is still there.
What am I doing wrong ?
Reply all
Reply to author
Forward
0 new messages