Open zbalkan opened 2 years ago
AlexRuiz7
commented
2 years ago Hello @zbalkan
Thanks for using Wazuh.
Please, take a look at this other thread where another user describes a very similar scenario, and where the lead engineer of our @wazuh/core team proposes a solution using custom rules.
I've tested this myself and no further alerts has been generated. However, note that the alerts already generated will keep being shown on the UI.
Best regards, Alex
zbalkan
commented
2 years ago Hi,
Thank you for the link. It is a good workaround to a really needed feature. As you said, the current ones are not suppressed. It basically drops new ones. Therefore, it is not the intention of the ticket.
Since Wazuh tries to be an agent-based vulnerability scanner, this is a must, due to the complexity of vulnerability management.
For instance, Oracle 8 uses binutils version 2.30 while GNU binutils now reached 2.39. There is a 9 minor versions of difference, due to dependencies like glibc. The distro owners do not provide those and you cannot easily compile the tools for yourself easily. Therefore, by using a specific distro, users have to accept the risk of using not-so-up-to-date packages and vulnerabilities in between. It is not wise to blindly drop the alerts. We need to be able to mark/label/tag them with a proper justification. It does not mean we ignore those vulnerabilities, but we acknowledge them and accept the risk due to some justifications.
That workaround -or anything similar- does not serve this purpose. That's why I created this ticket.
AlexRuiz7
commented
2 years ago Wazuh focuses on the detection and alerting of vulnerabilities, among other things. We understand your request, and we are studying to implement this behavior in the future, however, this is yet not supported by the product.
We'll keep the ticket open in order to keep pushing this request.
Best regards, Alex
zbalkan
commented
2 years ago Hi @AlexRuiz7,
Thank you for the update. Looking at the priorities, this will be in the backlog for a while but it's OK.
Bests.
Describe the solution you'd like TL;DR: Add a Suppress alert option to Vulnerability Scan alerts. Suppression can be either of type WONTFIX or FALSE POSITIVE. And Ide ally it should require a business justification in a text box.
Vulnerability scan does its job based on the detected packages. But when it becomes bloated due to WONTFIX or false positives, it will cause an issue similar to alert fatigue.
There are some packages that vendors, for instance RedHat, decided not to fix and mark as WONTFIX. Since there is no possibility to fix those vulnerabilities, we need to suppress the alert. Ideally we should be able to mark the warning as WONTFIX and FALSE POSITIVE, since they have different meanings. With a meaningful comment, like a reference to the vendor documentation mentioning their WONTFIX decision, it can be suppressed.
And also, there may be issues with the vulnerability databases themselves. So that the alerts can be false positives. They can be suppressed with a business justification, too.
Describe alternatives you've considered
Now I am using this method mentioned in the simple but clear article to suppress the problematic alerts:https://www.routerperformance.net/wazuh/exclude-vulnerability-reports-for-specific-packages/Update: It does not work for a while. So consider the alternative method obsolete.
Additional context N/A