Wazuh version | Component | Install type | Install method | Platform
-- | -- | -- | -- | --
3.13.1 | Vulnerability Detector (modulesd) | Manager | Packages | Centos 7
When starting Wazuh the NVD component keep giving " Unavailable vulnerabilities at the NVD database. The scan is aborted."
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:06:02 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:11:03 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2020/10/02 15:11:03 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:11:56 wazuh-modulesd:osquery: INFO: osqueryd is already running with pid 128055. Will run again in 10 minutes.
This is the Ossec conf for Vulnerability scanner module:
yes
5m
yes
yes
/opt/nvd-feed/*.json
2002
2h
The scan_on_start is set to yes.
I've also deleted /var/ossec/queue/vulnerabilities/cve.db before starting the manager.
The sources of feed of nvd are stored in /opt/nvd-feed/*.json and they work.
This is my nvd-generator.sh (it works with no problems)
`#!/bin/bash
Wazuh script to generate a Vulnerability Detector's feed from the National Vulnerability Database
Copyright (C) 2015-2020, Wazuh Inc.
May 9, 2018.
This program is a free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License (version 2) as published by the FSF - Free Software
Foundation.
max_year=`date +"%Y"`
year=$1
last_year=0
directory=$2
if [ $# -ne 2 ]
then
echo "Use: $0 <min_year> <dest_path>"
exit 1
fi
if [ $year -le 2001 ]
then
echo "The year must be greater than 2002"
fi
if [[ ! -d $directory ]]
then
echo "Invalid destination path: '$directory'. It must be a directory."
exit 1
fi
while [ true ]
do
link="https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-$year.json.gz"
file=$directory/nvd-feed$year.json
if [ $last_year -ne $year ]
then
echo "Fetching $link"
fi
last_year=$year
result=$(curl $link --output $file.gz --silent -w '%{http_code}')
if [ $result -ne 200 ]
then
echo "Page download failed ($result), retrying..."
rm -f $file.gz
continue
fi
if [ $year -eq $max_year ]
then
break
fi
year=$[ $year + 1 ]
done
exit 0
`
hi @djehutyy
the default url is fixed in 3.13.2 manager version. I tried something like you, but only updating fixed the issue for me.
Hello @djehutyy
As explained @djehutyy, the issue 6053 was opened to fix the default NVD URL. In that way, it is possible to update the NVD database online in v3.13.2.
Another way to update the NVD database is offline. For that, you need the script that you showed to download the feeds and then configure Vulnerability Detector to read those files. The configuration is not totally correct. I would do a little changes:
<enabled>yes</enabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<provider name="nvd">
<enabled>yes</enabled>
<path>/opt/nvd-feed/.*json$</path>
<update_interval>2h</update_interval>
</provider>
The line <update_from_year>2002</update_from_year> is not necessary because it is used for the online configuration to start to download the feed from 2002 on (in this case).
Also, <path>/opt/nvd-feed/*.json</path> is not correct because path tag accepts paths with regular expression that matches the feed files (regex) and *.json is not a valid regex but .*json. Moreover, I added '$' at the end of the path in <path> to read the files that finish in '.json'. Without '$', files like file1.json.gz could be read too.
It is also important to know that the Vulnerability-Detector module cannot read compressed NVD feeds (it will be fixed in v4.0.0) so after executing the script, it is necessary to uncompress the files, for example, using the following command:
gzip -d /path/nvd-feed2002.json.gz
Another thing to keep in mind is to check the Syscollector module is enabled, in the ossec.conf of the agent host. Wazuh Manager creates inventories for each of the agents, like package inventory, from Syscollector events. Without the package inventory, the scan cannot be completed.
Please keep me informed if these ideas do not work for you.
Regards,
Daniel
Thank you for all the support, updating to 3.13.2 works!!
You are welcome! Glad to help. Feel free to reopen this issue in case you need it.