vulnerability-detection is not populating alerts.json

[wugutech]

Wazuh = 4.9.0 (OVA) /var/ossec/bin/wazuh-agentd -V = 4.9.0

i just did fresh install and add alma 9.3 agent, i use splunk UF to forward /var/ossec/logs/alerts/alerts.json in Wazuh-web/vulnerability-detection/agent-name, it shows hundreds of count, i did test dnf update, now everything is gone, but no alerts.json is populated,

i do not see in alerts.json contain alert around vulnerability-detection, but others are fine and indexed/searchable as usual,

before 4.9.0 test, i did deploy Wazuh = 4.8.1 (OVA), same condition, i have not done anything at .conf or custom file level, i got this 1 event as example out of 28 only (windows 11), but in Wazuh-web/vulnerability-detection/agent-name it shows hundreds instead:

{"timestamp":"2024-09-15T03:55:10.308+0000","rule":{"level":10,"description":"CVE-2007-3282 affects Microsoft Office Home and Student 2021 - en-us","id":"23505","firedtimes":1,"mail":false,"groups":["vulnerability-detector"],"gdpr":["IV_35.7.d"],"pci_dss":["11.2.1","11.2.3"],"tsc":["CC7.1","CC7.2"]},"agent":{"id":"001","name":"COMPUTERNAME","ip":"192.168.194.86"},"manager":{"name":"wazuh-server"},"id":"1726372510.901496","decoder":{"name":"json"},"data":{"vulnerability":{"assigner":"mitre","cve":"CVE-2007-3282","cvss":{"cvss2":{"base_score":"7.800000","vector":{"access_complexity":"LOW","authentication":"NONE","availability":"COMPLETE","confidentiality_impact":"NONE","integrity_impact":"NONE"}}},"enumeration":"CVE","package":{"architecture":"x86_64","condition":"Package default status","name":"Microsoft Office Home and Student 2021 - en-us","source":" ","version":"16.0.17928.20156"},"published":"2007-06-19T22:30:00Z","rationale":"Buffer overflow in the Microsoft Office MSODataSourceControl ActiveX object allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long argument to the DeleteRecordSourceIfUnused method.","reference":"http://osvdb.org/38471, http://www.securitytracker.com/id?1018251, https://exchange.xforce.ibmcloud.com/vulnerabilities/34849, https://www.exploit-db.com/exploits/4067","severity":"High","status":"Active","title":"CVE-2007-3282 affects Microsoft Office Home and Student 2021 - en-us","type":"Packages","updated":"2017-10-11T01:32:44Z"}},"location":"vulnerability-detector"}

Do I miss something ? Im sorry its not much info, but thats all should be enough and super clear 🙏🙏🙏

[MiguelazoDS]

Hello @wugutech,

This is working as design, let me explain.

The vulnerability detector module relies on the information of the package provider that Syscollector uses to gather the information of the packages in the agent system. In your manager, there are agent databases (one per agent) in /var/ossec/queue/db.

There are two methods the communication between agent and manager use to store the packages (and other providers) information in the agent database (manager side). They are synchronization and update by deltas.

When the agent just connects to the manager, it is always a synchronization, in that case, NO alerts are generated, that was implemented that way to avoid flooding, with just only 3 agents with 1k vulnerabilities each, it would be too much.

The only alerts you can see are the ones that occur during a delta update. The delta update occurs if the syscollector scan interval time expires and the first synchronization is already done. In that case, is unusual to have many new packages, it will only report the latest packages installed after the sync.

Take into account that restarting your agent, also restarts that behavior.

TLDR; by design syscollector synchronization does not report alerts. Only deltas are. To hit a delta a synchronization must be done initially and new packages should be installed between the sync and the second Syscollector, for those few packages there will be alerts.

Let me know if I was not clear enough. Regards!

[wugutech]

Hallo, I think it's quite "fair" to let the first agent connection, for the vulnerability detection results (or any module?), let them get the results goes to alerts.json first, and (for vulnerability detection particularly) let subsequent alerts are only for deltas for that flooding matter mentioned,

or perhaps, at least let wazuh's admin to have choice about it, or simply use this? https://documentation.wazuh.com/current/user-manual/capabilities/system-inventory/viewing-system-inventory-data.html#query-the-agent-inventory-database

https://documentation.wazuh.com/current/user-manual/capabilities/vulnerability-detection/how-it-works.html the doc also become miss leading when people read it, moreover the diagram pic is miss leading too, it does not tell anything you mentioned or perhaps they are explained at others doc's topic ?

[MiguelazoDS]

Hello!

The alert behavior is particular for each module.

It does not make too much sense to use the system inventory database since the vulnerabilities are indexed now. Previously the vulnerabilities were stored in a database, but the alerts had the same behavior.

The documentation does not describe the module deeply, I'm with you on that, and I'll talk to the team to improve that.

[wugutech]

thank you very much, now I access vulnerability data via REST API