Offline UpdatePermalink to this headline

If the ThreatLockDown server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.

Downloading the ThreatLockDown vulnerabilities filePermalink to this headline

We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.

$ response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'

Output
https://s3.us-east-1.amazonaws.com/cti-snapshots-pro/store/contexts/vd_1.0.0/consumers/vd_4.8.0/276948_1702552338.zip
2023-12-14T11:12:18.241777Z

Configure offline vulnerability detectionPermalink to this headline

To use the Vulnerability Detection module offline, follow these steps.

Edit the ThreatLockDown server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the ThreatLockDown server to locate it.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url>file:///var/path/to/the/cves.file.zip</offline-url>
</vulnerability-detection>

Restart the ThreatLockDown manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart