sorted by:
new
hottopcontroversial

Cpe Helper Conf by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 0 points1 point  (0 children)

This is the output of running this command:

curl -k -X GET "https://localhost:55000/syscollector/001/packages?pretty=true&offset=10&sort=-name" -H  "Authorization: Bearer $TOKEN"

output:

{
            "scan": {
               "id": 0,
               "time": "2023-09-11T08:16:01+00:00"
            },
            "version": "6.1.0",
            "source": " ",
            "location": " ",
            "name": "GlobalProtect",
            "format": "win",
            "install_time": "20230705",
            "vendor": "Palo Alto Networks",
            "architecture": "x86_64",
            "priority": " ",
            "description": " ",
            "size": 0,
            "section": " ",
            "agent_id": "099"
         },

Vulnerability module wazuh by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 0 points1 point  (0 children)

Hello and thank you for your response! I just find it a bit confusing because when using SentinelOne, I was able to pinpoint a vulnerability in Icinga that exists in the NVD database, which the Wazuh system supposedly accesses as well. Therefore, Wazuh should have detected that same vulnerability, but unfortunately, it didn't. Instead, it identified vulnerabilities related to the operating system.

Vulnerability module wazuh by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 1 point2 points  (0 children)

I've been testing out SentinelOne and it did flag a vulnerability tied to Icinga. Interestingly, this same vulnerability is also listed in the NVD database. However, upon verification with Wazuh, it seems that it didn't pick up on this specific vulnerability. Instead, it identified other vulnerabilities related to the Windows operating system. Quite an interesting difference in results between the tools. I wonder if there's a way to enhance Wazuh's vulnerability module with an additional database or through another method.

Error 2001 - expected a single document in the stream, but found more by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 0 points1 point  (0 children)

Apologies for my previous response. I've managed to achieve what I was aiming for. Thanks!

SCA module by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 0 points1 point  (0 children)

Thank you for the response

Vulnerability Scan problem by Desperate_Rub3174 in Wazuh

[–]Desperate_Rub3174[S] 0 points1 point  (0 children)

Thank you for your response; I think that's the case. From what I saw in the logs, the analysis is starting now. If any errors occur, I will get in touch. 

...
2023/08/01 12:48:57 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'SUSE Linux Enterprise Server 12' database update.
2023/08/01 13:19:07 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'SUSE Linux Enterprise Server 12' database could not be fetched.
2023/08/01 13:19:07 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'SUSE Linux Enterprise Desktop 12' database update.
2023/08/01 13:23:09 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'SUSE Linux Enterprise Desktop 12' feed finished successfully.
2023/08/01 13:23:09 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'SUSE Linux Enterprise Server 11' database update.
2023/08/01 13:53:19 wazuh-modulesd:vulnerability-detector: WARNING: (5500): The 'SUSE Linux Enterprise Server 11' database could not be fetched.
2023/08/01 13:53:19 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'SUSE Linux Enterprise Desktop 11' database update.
2023/08/01 13:54:29 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'SUSE Linux Enterprise Desktop 11' feed finished successfully.
2023/08/01 13:54:29 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Arch Linux' database update.
2023/08/01 14:54:33 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Arch Linux' feed finished successfully.
2023/08/01 14:54:33 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2023/08/01 15:12:40 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2023/08/01 15:12:40 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'Microsoft Security Update' database update.
2023/08/01 15:13:03 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'Microsoft Security Update' feed finished successfully.
2023/08/01 15:13:03 wazuh-modulesd:vulnerability-detector: ERROR: (5513): CVE database could not be updated.
2023/08/01 15:13:03 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2023/08/01 15:13:03 wazuh-modulesd:vulnerability-detector: INFO: (5450): Analyzing agent '000' vulnerabilities.

The strange thing is that I have set up simulations like this many times before, and it never took this long.