Offline Update

If the ThreatLockDown server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.

Downloading the ThreatLockDown vulnerabilities file

We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.

$ response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'

https://s3.us-east-1.amazonaws.com/cti-snapshots-pro/store/contexts/vd_1.0.0/consumers/vd_4.8.0/276948_1702552338.zip
2023-12-14T11:12:18.241777Z

Configure offline vulnerability detection

To use the Vulnerability Detection module offline, follow these steps.

Edit the ThreatLockDown server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the ThreatLockDown server to locate it.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url>file:///var/path/to/the/cves.file.zip</offline-url>
</vulnerability-detection>

Restart the ThreatLockDown manager.

# systemctl restart wazuh-manager

# service wazuh-manager restart