No vulnerable packages found

[Ric4br]

Hi!

I need help with the script scan.py.
I followed the installation instructions, on zabbix server and 2 test servers. The data collection seems to work, and the integration with zabbix also.

But whenn I get list of packages and make an manual audit in vulners, it finds hunderts of problems as expected, but the scan.py just writes "No vulnerable packages found" for the server. In the dump created by scan.py the packages are listed.

How can I debug the communication and answer from vulvers.

Best Regards

[Ric4br]

INFO:ZTC:Connected to Zabbix API v.4.2.6
INFO:ZTC:Received from Zabbix 2 hosts for processing
INFO:ZTC:Receiving extended data about hosts from Zabbix
INFO:ZTC:[1 of 2] "XXXXX". Successfully received extended data
INFO:ZTC:[2 of 2] "YYYYYY". Successfully received extended data
INFO:ZTC:Processed hosts: 2.
INFO:ZTC:Checking data from Zabbix
INFO:ZTC:After checking data from Zabbix, there are 2 entries left. Removed 0
INFO:ZTC:Receiving the vulnerabilities from Vulners
INFO:ZTC:[1 of 2] "XXXXX". Successfully received data from Vulners
INFO:ZTC:[2 of 2] "YYYYYY". Successfully received data from Vulners
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Exclude invalid response data from Vulners
INFO:ZTC:There are 2 entries left. Removed: 0
INFO:ZTC:Сreating an additional field in the host-matrix based on data from Vulners
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed
INFO:ZTC:[2 of 2] "YYYYYY". Successfully processed
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Сreating an LLD-data: CVSS-Scores and Cumulative-Fix commands
INFO:ZTC:Creating a matrix of vulnerable packages of all hosts
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed vulnerable packages: 2
INFO:ZTC:[2 of 2] "YYYYYY". No vulnerable packages found
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique vulnerable packages processed: 2
INFO:ZTC:Сreating an LLD-data for package monitoring
INFO:ZTC:Creating an bulletin-matrix
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed security bulletins: 3
INFO:ZTC:[2 of 2] "YYYYYY". No security bulletins found
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique security bulletins processed: 3
INFO:ZTC:Сreating an LLD-data for bulletin monitoring
INFO:ZTC:Сreating an CVSS Score-based host-lists
INFO:ZTC:Сreating an aggregated data
INFO:ZTC:Pushing LLD-objects to Zabbix: zabbix_sender -z localhost -p 10051 -i /opt/monitoring/zabbix-threat-control/lld.zbx
INFO:ZTC:Response from "localhost:10051": "processed: 3; failed: 0; total: 3; seconds spent: 0.000554"
sent: 3; skipped: 0; total: 3

INFO:ZTC:sleep for 5 min
INFO:ZTC:Pushing data to Zabbix: zabbix_sender -z localhost -p 10051 -i /opt/monitoring/zabbix-threat-control/data.zbx
INFO:ZTC:Response from "localhost:10051": "processed: 23; failed: 0; total: 23; seconds spent: 0.000876"
sent: 23; skipped: 0; total: 23

INFO:ZTC:Work completed successfully

[samosvat]

What CVSS-Scores do these packages have?

[Ric4br]

All of them ;-) , many months old backup as test server "YYYYYY"

[Ric4br]

Hi again!
Maybe I'm testing it wrong, today overnight the result was different, it found more issues. but not that many.

Yesterday I went in Zabbix Host, items and selected the vulners items and run "check now", The clients logged the execution of the scripts. And after that I started the scan.py in the zabbix server. and did the result described above.

Overnight the results were different.
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed vulnerable packages: 7
INFO:ZTC:[2 of 2] "YYYYYY". Successfully processed vulnerable packages: 4
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique vulnerable packages processed: 11
INFO:ZTC:Сreating an LLD-data for package monitoring
INFO:ZTC:Creating an bulletin-matrix
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed security bulletins: 5
INFO:ZTC:[2 of 2] "YYYYYY". Successfully processed security bulletins: 1
INFO:ZTC:Processed hosts: 2
INFO:ZTC:Unique security bulletins processed: 5
INFO:ZTC:Сreating an LLD-data for bulletin monitoring
INFO:ZTC:Сreating an CVSS Score-based host-lists
INFO:ZTC:Сreating an aggregated data
INFO:ZTC:Pushing LLD-objects to Zabbix: zabbix_sender -z localhost -p 10051 -i /opt/monitoring/zabbix-threat-control/lld.zbx
INFO:ZTC:Response from "localhost:10051": "processed: 3; failed: 0; total: 3; seconds spent: 0.000514"
sent: 3; skipped: 0; total: 3

INFO:ZTC:sleep for 5 min
INFO:ZTC:Pushing data to Zabbix: zabbix_sender -z localhost -p 10051 -i /opt/monitoring/zabbix-threat-control/data.zbx
INFO:ZTC:Response from "localhost:10051": "processed: 34; failed: 0; total: 34; seconds spent: 0.000996"
sent: 34; skipped: 0; total: 34

Maybe I 'm missing some step, because today I did it the "check now" way and the results were the same as yesterday.

Best regards.

[rbourgaize]

@Ric4br

I stumbled in to your comment when I was trying to fix the same issue myself. My symptoms were that I could see in the output you last commented, was that vulnerable packages were identified, but did not appear in Zabbix:
INFO:ZTC:[1 of 2] "XXXXX". Successfully processed vulnerable packages: 7
INFO:ZTC:[2 of 2] "YYYYYY". Successfully processed vulnerable packages: 4

I found that in my /etc/zabbix/zabbix_server.conf on the zabbix server my trapper listen port was not enabled:
ListenPort=10051
So when the vulners tried to push to it, Zabbix was not listening for the data.

[rbourgaize]

There are a few bits to the install that was not covered in the guide, and a few possible typos which cause issues. Going to try and rebuild Zabbix and the Vulners integration at some point, document the steps, as it seems to work well(ish), but there is a lot more to do outside of the guide to get it to work fully.

[Ric4br]

Hi all !

Is not the same problem. the data is pushed into Zabbix:

but the clients don't get the correct packages problems. If I run the scan on the clients it seems ok but the wrong data arrive to zabbix , and this data is pushed into zabbix.

Best Regards