No results match your search criteria | Vulnerability detection

[sushihash]

|Wazuh version|Component|Install type|Install method|Platform| |4.8.1|Wazuh Dashboard / Manager|package | linux|

Hi everyone,

I'm here to talk about vulnerability detection.

I have one agent, and initially, the vulnerability detection works. However, when a new CVE is detected, no event appears in the event category.

some pictures and files :

<!--
  Wazuh - Manager - Default configuration
  More info at: https://documentation.wazuh.com
  Mailing list: https://groups.google.com/forum/#!forum/wazuh
-->

<ossec_config>
  <global>
    <jsonout_output>yes</jsonout_output>
    <alerts_log>yes</alerts_log>
    <logall>no</logall>
    <logall_json>no</logall_json>
    <email_notification>no</email_notification>
    <email_to>admin@example.net</email_to>
    <smtp_server>smtp.example.wazuh.com</smtp_server>
    <email_from>wazuh@example.wazuh.com</email_from>
    <email_maxperhour>12</email_maxperhour>
    <email_log_source>alerts.log</email_log_source>
    <agents_disconnection_time>20s</agents_disconnection_time>
    <agents_disconnection_alert_time>100s</agents_disconnection_alert_time>
  </global>

  <alerts>
    <log_alert_level>3</log_alert_level>
    <email_alert_level>12</email_alert_level>
  </alerts>

  <!-- Choose between "plain", "json", or "plain,json" for the format of internal logs -->
  <logging>
    <log_format>plain</log_format>
  </logging>

  <remote>
    <connection>secure</connection>
    <port>1514</port>
    <protocol>tcp</protocol>
    <queue_size>131072</queue_size>
  </remote>

  <!-- Policy monitoring -->
  <rootcheck>
    <disabled>no</disabled>
    <check_files>yes</check_files>
    <check_trojans>yes</check_trojans>
    <check_dev>yes</check_dev>
    <check_sys>yes</check_sys>
    <check_pids>yes</check_pids>
    <check_ports>yes</check_ports>
    <check_if>yes</check_if>

    <!-- Frequency that rootcheck is executed - every 12 hours -->
    <frequency>43200</frequency>

    <rootkit_files>/var/ossec/etc/rootcheck/rootkit_files.txt</rootkit_files>
    <rootkit_trojans>/var/ossec/etc/rootcheck/rootkit_trojans.txt</rootkit_trojans>

    <skip_nfs>yes</skip_nfs>
  </rootcheck>

  <wodle name="cis-cat">
    <disabled>yes</disabled>
    <timeout>1800</timeout>
    <interval>1d</interval>
    <scan-on-start>yes</scan-on-start>
    <java_path>wodles/java</java_path>
    <ciscat_path>wodles/ciscat</ciscat_path>
  </wodle>

  <!-- Osquery integration -->
  <wodle name="osquery">
    <disabled>yes</disabled>
    <run_daemon>yes</run_daemon>
    <log_path>/var/log/osquery/osqueryd.results.log</log_path>
    <config_path>/etc/osquery/osquery.conf</config_path>
    <add_labels>yes</add_labels>
  </wodle>

  <!-- System inventory -->
  <wodle name="syscollector">
    <disabled>no</disabled>
    <interval>1h</interval>
    <scan_on_start>yes</scan_on_start>
    <hardware>yes</hardware>
    <os>yes</os>
    <network>yes</network>
    <packages>yes</packages>
    <ports all="no">yes</ports>
    <processes>yes</processes>
  </wodle>

  <sca>
    <enabled>yes</enabled>
    <scan_on_start>yes</scan_on_start>
    <interval>12h</interval>
    <skip_nfs>yes</skip_nfs>
  </sca>

  <vulnerability-detection>
    <enabled>yes</enabled>
    <index-status>yes</index-status>
    <feed-update-interval>5m</feed-update-interval>
  </vulnerability-detection>

  <indexer>
    <enabled>yes</enabled>
    <hosts>
      <host>https://wazuh1-test.unicaen.fr:9200</host>
      <host>https://wazuh2-test.unicaen.fr:9200</host>
    </hosts>

    <ssl>
      <certificate_authorities>
        <ca>/etc/filebeat/certs/root-ca.pem</ca>
      </certificate_authorities>
      <certificate>/etc/filebeat/certs/wazuh1-test.unicaen.fr.pem</certificate>
      <key>/etc/filebeat/certs/wazuh1-test.unicaen.fr-key.pem</key>
    </ssl>
  </indexer>

  <!-- File integrity monitoring -->
  <syscheck>
    <disabled>no</disabled>
    <frequency>43200</frequency>
    <scan_on_start>yes</scan_on_start>

    <!-- Do not ignore files that change more than 'frequency' times -->
    <auto_ignore frequency="10" timeframe="3600">no</auto_ignore>

    <!-- Directories to check  (perform all possible verifications) -->
    <directories >/etc,/usr/bin,/usr/sbin</directories>
    <directories >/bin,/sbin,/boot</directories>

    <!-- Files/directories to ignore -->
    <ignore>/etc/mtab</ignore>
    <ignore>/etc/hosts.deny</ignore>
    <ignore>/etc/mail/statistics</ignore>
    <ignore>/etc/random-seed</ignore>
    <ignore>/etc/random.seed</ignore>
    <ignore>/etc/adjtime</ignore>
    <ignore>/etc/httpd/logs</ignore>
    <ignore>/etc/utmpx</ignore>
    <ignore>/etc/wtmpx</ignore>
    <ignore>/etc/cups/certs</ignore>
    <ignore>/etc/dumpdates</ignore>
    <ignore>/etc/svc/volatile</ignore>

    <!-- File types to ignore -->
    <ignore type="sregex">.log$|.swp$</ignore>

    <!-- Files no diff -->
    <nodiff>/etc/ssl/private.key</nodiff>
    <skip_nfs>yes</skip_nfs>
    <skip_dev>yes</skip_dev>
    <skip_proc>yes</skip_proc>
    <skip_sys>yes</skip_sys>

    <!-- Nice value for Syscheck module -->
    <process_priority>10</process_priority>

    <!-- Maximum output throughput -->
    <max_eps>100</max_eps>

    <!-- Database synchronization settings -->
    <synchronization>
      <enabled>yes</enabled>
      <interval>5m</interval>
      <max_interval>1h</max_interval>
      <max_eps>10</max_eps>
    </synchronization>
  </syscheck>

  <global>
    <white_list>127.0.0.1</white_list>
    <white_list>^localhost.localdomain$</white_list>
    <white_list>127.0.0.53</white_list>
  </global>

  <command>
    <name>disable-account</name>
    <executable>disable-account</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>restart-wazuh</name>
    <executable>restart-wazuh</executable>
  </command>

  <command>
    <name>firewall-drop</name>
    <executable>firewall-drop</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>host-deny</name>
    <executable>host-deny</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>route-null</name>
    <executable>route-null</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>win_route-null</name>
    <executable>route-null.exe</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

  <command>
    <name>netsh</name>
    <executable>netsh.exe</executable>
        <timeout_allowed>yes</timeout_allowed>
  </command>

<!-- Files to monitor (localfiles) -->

  <localfile>
     <log_format>command</log_format>
     <command>df -P</command>
     <frequency>360</frequency>
  </localfile>

  <localfile>
     <log_format>full_command</log_format>
     <command>netstat -tulpn | sed 's/\([[:alnum:]]\+\)\ \+[[:digit:]]\+\ \+[[:digit:]]\+\ \+\(.*\):\([[:digit:]]*\)\ \+\([0-9\.\:\*]\+\).\+\ \([[:digit:]]*\/[[:alnum:]\-]*\).*/\1 \2 == \3 == \4 \5/' | sort -k 4 -g | sed 's/ == \(.*\) ==/:\1/' | sed 1,2d</command>
     <alias>netstat listening ports</alias>
     <frequency>360</frequency>
  </localfile>

  <localfile>
     <log_format>full_command</log_format>
     <command>last -n 20</command>
     <frequency>360</frequency>
  </localfile>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/ossec/logs/active-responses.log</location>
  </localfile>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/auth.log</location>
  </localfile>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/syslog</location>
  </localfile>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/dpkg.log</location>
  </localfile>

  <localfile>
     <log_format>syslog</log_format>
     <location>/var/log/kern.log</location>
  </localfile>

  <ruleset>
  <!-- Default ruleset -->
  <decoder_dir>ruleset/decoders</decoder_dir>
  <rule_dir>ruleset/rules</rule_dir>
  <rule_exclude>0215-policy_rules.xml</rule_exclude>
  <list>etc/lists/audit-keys</list>
  <list>etc/lists/security-eventchannel</list>
  <list>etc/lists/amazon/aws-eventnames</list>

  <!-- User-defined ruleset -->
  <decoder_dir>etc/decoders</decoder_dir>
  <rule_dir>etc/rules</rule_dir>
  </ruleset>

  <auth>
    <disabled>no</disabled>
    <port>1515</port>
    <use_source_ip>no</use_source_ip>
    <force>
      <enabled>yes</enabled>
      <key_mismatch>yes</key_mismatch>
      <disconnected_time enabled="yes">1h</disconnected_time>
      <after_registration_time>1h</after_registration_time>
    </force>
    <purge>yes</purge>
    <use_password>no</use_password>
    <ciphers>HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH</ciphers>
    <ssl_agent_ca>/var/ossec/etc/root-ca.pem</ssl_agent_ca>
    <ssl_verify_host>yes</ssl_verify_host>
    <ssl_manager_cert>/var/ossec/etc/wazuh1-test.unicaen.fr.pem</ssl_manager_cert>
    <ssl_manager_key>/var/ossec/etc/wazuh1-test.unicaen.fr-key.pem</ssl_manager_key>
    <ssl_auto_negotiate>no</ssl_auto_negotiate>
  </auth>

  <cluster>
    <disabled>no</disabled>
    <name>wazuh</name>
    <node_name>wazuh1-test.unicaen.fr</node_name>
    <node_type>master</node_type>
    <key>xxxxxxx
</key>
    <port>1516</port>
    <bind_addr>wazuh1-test.unicaen.fr</bind_addr>
    <nodes>
      <node>wazuh1-test.unicaen.fr</node>
    </nodes>
    <hidden>no</hidden>
  </cluster>

</ossec_config
`

[sushihash]

[sushihash]

[GabrielEValenzuela]

Hi @sushihash ! How are you?

IndexerConnector initialized successfully for index:

Do you see this log? in the ossec.log?

[sushihash]

Hi, Yes i have it,

2024/07/31 10:36:41 indexer-connector: INFO: IndexerConnector initialized successfully for index: wazuh-states-vulnerabilities-wazuh.

[GabrielEValenzuela]

Hi @sushihash! Great to hear that we're indexing the vulnerabilities.

Is the new CVE found either during the first scan (when an agent connects with the manager and starts the scan) or when you install a vulnerable package after that?

During the first scan, no events are generated. Events are only generated after the initial scan when you install a vulnerable package or when a vulnerability is resolved by installing the package or applying a fix.

I look forward to your response. Have a nice day!

[sushihash]

Hi @GabrielEValenzuela,

they were detecting when i added the agent to the manager or when i started the agent

No event has been recorded in this case ?

[sushihash]

It is possible to create a feature for that ? every scan creates event ?

[GabrielEValenzuela]

Hi @sushihash! I hope you're doing well!

When you add an agent for the first time, it’s treated as the initial scan, so no alert will show up in the event tab. I’ll look into your feature request and get back to you with updates as soon as I can. Thanks for your time! Nice day! 😊

[GabrielEValenzuela]

Hi @sushihash! How are you?

I wanted to let you know that this feature request will be implemented in the upcoming version 5.0.0.

Nice day!

[sebasfalcone]

Inquire answered, inactive thread. Please re open-it if necessary