Wazuh: Bug: Unavailable vulnerabilities at the NVD database. The scan is aborted.

Created on 2 Oct 2020  路  4Comments  路  Source: wazuh/wazuh

Wazuh version | Component | Install type | Install method | Platform
-- | -- | -- | -- | --
3.13.1 | Vulnerability Detector (modulesd) | Manager | Packages | Centos 7

When starting Wazuh the NVD component keep giving " Unavailable vulnerabilities at the NVD database. The scan is aborted."

2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5400): Starting 'National Vulnerability Database' database update.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5430): The update of the 'National Vulnerability Database' feed finished successfully.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2020/10/02 14:50:59 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:06:02 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:11:03 wazuh-modulesd:vulnerability-detector: INFO: (5431): Starting vulnerability scan.
2020/10/02 15:11:03 wazuh-modulesd:vulnerability-detector: ERROR: (5582): Unavailable vulnerabilities at the NVD database. The scan is aborted.
2020/10/02 15:11:56 wazuh-modulesd:osquery: INFO: osqueryd is already running with pid 128055. Will run again in 10 minutes.

This is the Ossec conf for Vulnerability scanner module:


yes
5m
yes

yes
/opt/nvd-feed/*.json
2002
2h

The scan_on_start is set to yes.
I've also deleted /var/ossec/queue/vulnerabilities/cve.db before starting the manager.

The sources of feed of nvd are stored in /opt/nvd-feed/*.json and they work.

This is my nvd-generator.sh (it works with no problems)

`#!/bin/bash

 Wazuh script to generate a Vulnerability Detector's feed from the National Vulnerability Database
 Copyright (C) 2015-2020, Wazuh Inc.
May 9, 2018.

 This program is a free software; you can redistribute it
 and/or modify it under the terms of the GNU General Public
 License (version 2) as published by the FSF - Free Software
 Foundation.

max_year=`date +"%Y"`
year=$1
last_year=0
directory=$2

if [ $# -ne 2 ]
then
    echo "Use: $0 <min_year> <dest_path>"
    exit 1
fi

if [ $year -le 2001 ]
then
    echo "The year must be greater than 2002"
fi

if [[ ! -d $directory ]]
then
    echo "Invalid destination path: '$directory'. It must be a directory."
    exit 1
fi


while [ true ]
do
    link="https://nvd.nist.gov/feeds/json/cve/1.1/nvdcve-1.1-$year.json.gz"
    file=$directory/nvd-feed$year.json

    if [ $last_year -ne $year ]
    then
        echo "Fetching $link"
    fi
    last_year=$year
    result=$(curl $link --output $file.gz --silent -w '%{http_code}')

    if [ $result -ne 200 ]
    then
        echo "Page download failed ($result), retrying..."
        rm -f $file.gz
        continue
    fi
 if [ $year -eq $max_year ]
    then
        break
    fi
    year=$[ $year + 1 ]
done

exit 0
`
community corvuln detector

All 4 comments

hi @djehutyy
the default url is fixed in 3.13.2 manager version. I tried something like you, but only updating fixed the issue for me.

Hello @djehutyy
As explained @djehutyy, the issue 6053 was opened to fix the default NVD URL. In that way, it is possible to update the NVD database online in v3.13.2.

Another way to update the NVD database is offline. For that, you need the script that you showed to download the feeds and then configure Vulnerability Detector to read those files. The configuration is not totally correct. I would do a little changes:

<enabled>yes</enabled>
<interval>5m</interval>
<run_on_start>yes</run_on_start>
<provider name="nvd">
  <enabled>yes</enabled>
  <path>/opt/nvd-feed/.*json$</path>
  <update_interval>2h</update_interval>
</provider>

The line <update_from_year>2002</update_from_year> is not necessary because it is used for the online configuration to start to download the feed from 2002 on (in this case).

Also, <path>/opt/nvd-feed/*.json</path> is not correct because path tag accepts paths with regular expression that matches the feed files (regex) and *.json is not a valid regex but .*json. Moreover, I added '$' at the end of the path in <path> to read the files that finish in '.json'. Without '$', files like file1.json.gz could be read too.

It is also important to know that the Vulnerability-Detector module cannot read compressed NVD feeds (it will be fixed in v4.0.0) so after executing the script, it is necessary to uncompress the files, for example, using the following command:
gzip -d /path/nvd-feed2002.json.gz

Another thing to keep in mind is to check the Syscollector module is enabled, in the ossec.conf of the agent host. Wazuh Manager creates inventories for each of the agents, like package inventory, from Syscollector events. Without the package inventory, the scan cannot be completed.

Please keep me informed if these ideas do not work for you.

Regards,
Daniel

Thank you for all the support, updating to 3.13.2 works!!

You are welcome! Glad to help. Feel free to reopen this issue in case you need it.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

lo5twind picture lo5twind  路  4Comments

manuasir picture manuasir  路  3Comments

gagantous picture gagantous  路  3Comments

12obin picture 12obin  路  3Comments

BraulioV picture BraulioV  路  3Comments