Offline UpdatePermalink to this headline
If the ThreatLockDown server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.
Downloading the ThreatLockDown vulnerabilities filePermalink to this headline
We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.
$ response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'
Configure offline vulnerability detectionPermalink to this headline
To use the Vulnerability Detection module offline, follow these steps.
Edit the ThreatLockDown server
/var/ossec/etc/ossec.conf
file. Add the offline repository file path in the vulnerability detection block. This configures the ThreatLockDown server to locate it.<vulnerability-detection> <enabled>yes</enabled> <index-status>yes</index-status> <feed-update-interval>60m</feed-update-interval> <offline-url>file:///var/path/to/the/cves.file.zip</offline-url> </vulnerability-detection>
Restart the ThreatLockDown manager.
# systemctl restart wazuh-manager
# service wazuh-manager restart