NVDB count and local NVDB differ need to reload old NVDB files any advice?
Brought to you by:
tiochan
Menu
▾
▴
#5 NVDB count and local NVDB differ need to reload old NVDB files any advice?
Hi,
I had a temporary service outtage means the task to load the http://nvd.nist.gov/download/nvdcve-modified.xml.gz to the database could not be executed for 6 weeks. So the entries collected from NVDB within my local sigvi database show a gap. I would like to fill this gap by reloading the annual summary files "NVD 2014 file" and "NVD 2015 file" into the existing database.
To do so I added 2 entries to sigvi.vulnerability_sources
15 NVD - 2014 NVD 2014 file cve-1.2-cvss.php compress.zlib://http://nvd.nist.gov/download/nvdcve-2014.xml.gz 1
16 NVD - 2015 NVD 2015 file cve-1.2-cvss.php compress.zlib://http://nvd.nist.gov/download/nvdcve-2015.xml.gz 1
and launched
/var/www/sigvi/my_include/classes# php -f /var/www/sigvi/cron/launch_processes.php force
The output was:
Executing task: '10 Autovalidate alerts'
- return code: 0
Executing task: '20 Load Vulnerabilities'
- return code: 0
Executing task: '30 Check server vulnerabilities'
- return code: 0
Executing task: '40 Check repository Updates'
- return code: 0
Executing task: '50 Load product dictionaries'
Executing task: '99 Reports'
- return code: 0
Task Periodicity Finished Execution time
10 Autovalidate alerts daily OK 0.025
20 Load Vulnerabilities daily OK 2.325
30 Check server vulnerabilities daily OK 0.747
40 Check repository Updates daily OK 0.062
50 Load product dictionaries daily OK 55.46
99 Reports daily OK 1.038
Task launched: 10 Autovalidate alerts
[ Periodicity: daily ]
Task finished with exit status: 0
Task launched: 20 Load Vulnerabilities
[ Periodicity: daily ]
---------------------------------------------------------------------
Vulnerabilities loaded from source NVD - updates: found 257 vulnerabilities, 5 of them were loaded into dabatase.
Task finished with exit status: 0
Task launched: 30 Check server vulnerabilities
[ Periodicity: daily ]
Have been found 250 matches of vulnerable products installed on any server
Have been processed 0 alerts
Have been sent 1 notifications to the administrators of affected servers
Task finished with exit status: 0
Task launched: 40 Check repository Updates
[ Periodicity: daily ]
Discoverer not enabled.
Task finished with exit status: 0
Task launched: 50 Load product dictionaries
[ Periodicity: daily ]
Task finished with exit status: 0
Task launched: 99 Reports
[ Periodicity: daily ]
- Generating the report 'Vulnerability evolution' for User akeviczky.
- Generating the report 'Security report' for User akeviczky.
Task finished with exit status: 0
Mail sent to root@localhost
You have new mail in /var/mail/root
Looking into the output it is only stated that NVD - updates has been used. Looking into the report send by email to root it is also stated "Vulnerabilities loaded from source NVD - updates: found 257 vulnerabilities, 5 of them were loaded into dabatase."
Any advice what needs to be done?
Thank you in advance.
Cheers, Andreas
You can force the load of each NVD source directly from the source management page:
Configuration -> Sources.
There is a sub-menu with two options:
Tools
Test sources
Manual load from sources
Try the second one "Manual load from source". You will be redirected to a page where you can select the source to force its load. Select it and press "Ok".
Let me know if that worked for you.
It worked! :-)
Based on your advice I identified the root case. Myself. Sometime ago I created a dedicated user for daily operations with less privileges then the adminuser and I forgot about the admin user. As designed the Config Menu was not show to the lower priviledged account.
Login in as admin the configuration menu show up. Then I followed your advice and loading started as mentioned.
---- cut ----------------
CVE-2014-1280: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1281: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1282: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1284: 2014-03-13 - 2014-03-13 --> Added
CVE-2014-1285: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1286: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1287: 2014-03-14 - 2014-03-14 --> Added
CVE-2014-1289: 2014-03-14 - 2014-04-04 --> Same or more recent version exists, skipping
CVE-2014-1290: 2014-03-14 - 2014-04-04 --> Same or more recent version exists, skipping
CVE-2014-1291: 2014-03-14 - 2014-04-04 --> Same or more recent version exists, skipping
CVE-2014-1292: 2014-03-14 - 2014-04-04 --> Same or more recent version exists, skipping
CVE-2014-1293: 2014-03-14 - 2014-04-05 --> Same or more recent version exists, skipping
--- cut ------------------
When completing it stated
"Vulnerabilities loaded from source NVD - 2014: found 7371 vulnerabilities, 805 of them were loaded into dabatase."
So I will do so now for all of my sources to make sure that I did not missed any NVD import. NVD states at there web page that they have 74.614 CVEs (as per 16.01.2016) and I may have issed some more since querying my local database "select count(*) from sigvi.vulnerabilities" counted only 20.652. But that's my part ;-)
Big thank you for your advice!
Cheers.
Following your advice and performing the updating for all NVDB datafeeds form2002 to 2016 was fast and reduced the gap to 51 entries. That's really cool! :-)