Rule: 23506 fired (level 13) -> "CVE-2020-6831 affects Mozilla Firefox 58.0.2 (x86 he)"

[Gal Akavia]

Hi,

I get a lot of wazuh vulnerbility-detecter event about firefox.

I'm using terminal server and must say there is no firefox at all.

Is wazuh vulnerbility-detecter generate false-positive events and i need to make a rule to suppress  some vulnerbilites results?

No firefox app in program & features

No firefox at HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox << Not exist

#firefox -P << firefox not recognize..

Wazuh Notification.

2021 Dec 04 18:03:09

 

Received From: (kavim-ts71) any->vulnerability-detector

Rule: 23506 fired (level 13) -> "CVE-2020-6831 affects Mozilla Firefox 58.0.2 (x86 he)"

Portion of the log(s):

Any idea?

[Juan Nicolás Asselle]

Hi gulguly,

First things first, could you please tell me your Wazuh version?. The vulnerability detector feature relies on Agent Inventory (retrieved by syscollector wodle), so I suggest you check if Mozilla Firefox is actually being part of it. This could be retrieved using Wazuh App (Kibana) or Wazuh API request (Wazuh App Dev Console or simple curl CLI) to the next endpoint.

About silencing some vulnerability detector alerts, you could create a custom rule like the next one, that will silence CVE-2020-6831and CVE-2020-6825 alerts.

  <rule id="100001" level="0">
      <if_group>vulnerability-detector</if_group>
      <options>no_full_log</options>
      <field name="vulnerability.cve">^CVE-2020-6831$|^CVE-2020-6825$</field>
      <description>Silencing some vulnerabilities</description>
  </rule>

Vulnerability options to filter here: https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/running-vu-scan.html

Looking forward to your comments.
Regards,
Nico

​

[Gal Akavia]

Thank you juan! got-it :)