Offline Update
If the ThreatLockDown server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.
Downloading the ThreatLockDown vulnerabilities file
We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.
$ response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'
https://s3.us-east-1.amazonaws.com/cti-snapshots-pro/store/contexts/vd_1.0.0/consumers/vd_4.8.0/276948_1702552338.zip
2023-12-14T11:12:18.241777Z
Configure offline vulnerability detection
To use the Vulnerability Detection module offline, follow these steps.
Edit the ThreatLockDown server
/var/ossec/etc/ossec.conf
file. Add the offline repository file path in the vulnerability detection block. This configures the ThreatLockDown server to locate it.<vulnerability-detection> <enabled>yes</enabled> <index-status>yes</index-status> <feed-update-interval>60m</feed-update-interval> <offline-url>file:///var/path/to/the/cves.file.zip</offline-url> </vulnerability-detection>
Restart the ThreatLockDown manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart