wazuh@googlegroups.com

[Jairus Noel]

Vulnerability Management module:

 

We believe we are not receiving proper vulnerability management data from Wazuh.Please suggest us if any config changes need to be done. We can see only vulnerability CVE-2021-41821 this is related to Wazuh “Wazuh Manager in Wazuh through 4.1.5 is affected by a remote Integer Underflow vulnerability that might lead to denial of service.”

When we pull the VM report from Qualys we could see different vulnerabilities on the same machine.

 

[antonio....@wazuh.com]

Hello Jairus.

We will need the following information in order to better help you:

• Wazuh Manager Version.
• Wazuh Agent Version
• OS running the Wazuh agent.
• Vulnerability Detector configuration.
• Check the logs in case there is an error or warning (the manager logs are located in /var/ossec/logs/ossec.log)

I will also recommend you to update to a newer version, as a lot of improvements have been added to the VD module.

​

[Jairus Noel]

Hello Antonio,

Please the below details:

• • Wazuh Manager Version. : v3.13.3
  • Wazuh Agent Version: v3.13.2
  • OS running the Wazuh agent: win 7, Win 10, win 11
  • Vulnerability Detector configuration : attached screenshot
  • Check the logs in case there is an error or warning (the manager logs are in /var/ossec/logs/ossec.log): Attached the logs

[antonio....@wazuh.com]

Hello Jairus

I recommend you to update both the manager and the agent to a newer version (ideally 4.3.x), as tons of improvements and fixes have been included since 3.13. Especially, the support for Win11 and Win10 were added in 4.3.
Also, another problem with using the old version is that the MSU (the feed that Wazuh uses to get Windows Vulnerabilities) is not updated automatically, causing false positives and other problems.

So, as I mentioned, you should update to a newer version and try to check if the problem persists.

These are some of the PRs that have been added during this time that could fix your issue:

• https://github.com/wazuh/wazuh/pull/10772

• https://github.com/wazuh/wazuh/pull/12446

  https://github.com/wazuh/wazuh/pull/10168

• https://github.com/wazuh/wazuh/pull/10639

• https://github.com/wazuh/wazuh/pull/5678

Kind regards

[Jairus Noel]

Hello Antonio,

Really Appreciate for your help.

We are facing few more challenges in our environment would you like have a look and share your thoughts on it.

We have one Wazuh manager and 3 worker nodes for 3 different regions,

We are seeing issues with communication with many agents in wazuh console. We observed that agents are not picking up DHCP IP addresses properly, due to which many agents are showing as disconnected. For example

In the below attachment we see same IP address is assigned to 2 machines, but only one is showing active however the other machines are live on the network. This has been confirmed by other endpoint resources we use like Symantec, Qualys, etc.,

FortiAnalyzer Integration:

 We are trying to get logs from our FortiAnalyzer to Wazuh. We have forwarded logs from FAZ to Wazuh attached the screenshot. However, we are not receiving the logs from FAZ. In Wazuh Ossec file we have added the Syslog output. Can you please let us know if we need to add the IP in any other config file. We worked with our network team and there don’t seem to be any firewall issue.