I’ve created several overrides and the vulnerabilities come back every scan still. Are they broken? These worked prior to 5.x as one would expect. Now that I’m 5.0.10 (they didn’t work on 5.0.6 either) they are not working. When I go to my overrides they are listed there just fine as one would expect.
I just checked and was able to attach a severity changing override to a result via
Web-GUI > Report > Date of a Report > Report:Results > Vulnerability > Magnifier > create override
In the Report:Results view I can see the new, changed severity.
How did you create the override, and how did you check if it worked?
I create the override the same way you do and they appear in Scans:Overrides with the correct severity. In the report after I create the override it shows the Override icon next to the vulnerability which makes me believe it takes. It does not change the severity though.
However, when I run a new scan it comes back in the new report as vulnerable still and there’s no override icon next to it. I’ve done this for several items and it doesn’t work for any.
In 4.x when I created an override it immediately changed the severity in the current report. It doesn’t do that now.
To check if the override is correctly configured open the detailed override view via
Web GUI > Scans > Override > name of the override > magnifier
Feel free to copy/paste all the info there in a reply if you can’t find a reason why it isn’t applied.
Hope this helps.
NVT Name - NFS export
NVT OID - 1.3.6.1.4.1.25623.1.0.102014
Active - Yes
Application
Hosts - 10.10.3.8
Port - general/udp
Severity - > 0.0
Task - Server Network Scan
Result - NFS export
Appearance
Override from Severity > 0.0 to False Positive
Export is limited to Unitrends appliance.
Modifed - Thu, Oct 3, 2019 2:27 PM
[Sun, Oct 6, 2019 10:04 AM UTC] Done [Server Network Scan]
Report:
Sun, Oct 6, 2019 10:04 AM UTC
Done
ID:
e3afa443-b137-480e-9e5b-f10f01fe95a0
Created:
Sun, Oct 6, 2019 10:04 AM UTC
Modified:
Sun, Oct 6, 2019 12:16 PM UTC
IP Name
NFS export 10.0 (High) 70 % [10.10.3.8] general/udp Sun, Oct 6, 2019 11:45 AM UTC
I am experiencing the same issue after updateing from v9 to v10.
Old scan results (e.g. no new scan since upgrade) have their overrides applied correctly.
New scan resuts don’t apply overrides correctly
As far as I understand it, we are talking two problems here:
- You create the override, scan again and the override is not applied to new results
- The a result shows an override symbol, but it doesn’t have the desired effect.
to 1) There has been a change of behavior in GOS 5. If you create an override by clicking the “New Override” button on a specific result page, the default settings make this override specific for only this result, not for a similar one other runds of that task. This is the last setting in the dialogue: Result any [ ] NFS export [x]. As seen in your data “Result - NFS export”, your override is specific only for the one result.
Edit the override to Result: Any and it should apply to future results in that task and host. In general, try to make an override as unspecific as possible.
- To see the effect of an override the filter apply_overrides must be set to 1, default is 0. To change this filter enter
apply_overrides=1
or open the edit filter dialogue and change the radio button at Apply Overrides to yes
1 Like
Thank you Tino,
that was indeed the issue.
In creating a new override it is confusing that it shows the vulnerability name in the parentheses for the “only selected result”.
Actually, looking at my results, it still keeps the severity a 10 but shows it as ‘overridden’. My report comes back with a 10 still. It doesn’t actually change to false positive.
I’m now running the latest 5.0.12.
Did you switch the filter in the Report:Results view to apply_overrides=1 ?
Wow, missed that part.
Is there a way to make that default? I don’t want to have to do that every time. I see I can save it as a custom filter and I need to select that one so I am assuming that will have to be the way I do it from now on?
Sure.
Open the New Filter dialogue
Web GUI > Scans > Reports > Date of the reports > New Filter (icon on the top right)
Configure a filter of your liking and save it by checking the bottom most box
Open the Edit My Settings dialogue
Web GUI > Extras > My Settings > Edit My Settings (Icon on the top left)
Scroll down to the Filter Settings and select your newly saved filter from the drop down menu in the row: Results Filter.
2 Likes