Offline Update

If the Wazuh server isn't directly connected to the Internet, it's still possible to keep the Common Vulnerabilities and Exposures (CVEs) information updated. You can download a repository file and access it within your local environment or network.

Downloading the Wazuh vulnerabilities file

We regularly publish a snapshot of the threat intelligence repository to the Cyber Threat Vulnerability Intelligence (CTI) API. We provide this snapshot as a downloadable file containing the CVE documents. To retrieve the link to download this compressed file and output its date, run a command to query the API as follows.

$ response=$(curl -s -X GET https://cti.wazuh.com/api/v1/catalog/contexts/vd_1.0.0/consumers/vd_4.8.0)
$ echo "$response" | jq -r '.data.last_snapshot_link'
$ echo "$response" | jq -r '.data.last_snapshot_at'

https://cti.wazuh.com/store/contexts/vd_1.0.0/consumers/vd_4.8.0/1251692_1737570906.zip
2025-01-22T18:35:06.662375Z

Where 2025-01-22T18:35:06.662375Z is the time of the last update.

Configure offline vulnerability detection

To use the Vulnerability Detection module offline, follow these steps.

Edit the Wazuh server /var/ossec/etc/ossec.conf file. Add the offline repository file path in the vulnerability detection block. This configures the Wazuh server to locate it.

<vulnerability-detection>
   <enabled>yes</enabled>
   <index-status>yes</index-status>
   <feed-update-interval>60m</feed-update-interval>
   <offline-url>file:///path/to/the/cves.file.zip</offline-url>
</vulnerability-detection>

Restart the Wazuh manager.

# systemctl restart wazuh-manager

# service wazuh-manager restart