Objective: To perform a technical post-mortem analysis of a network intrusion attempt using centralized log management and deep packet inspection.

1. The Vulnerability: Unauthorized Reconnaissance

Network visibility is the cornerstone of defensive security. Without centralized logging, attackers can perform stealthy reconnaissance and lateral movement unnoticed. This project demonstrates the integration of Wazuh (SIEM/XDR) and Wireshark to identify, track, and analyze malicious traffic patterns.

2. Technical Execution: Forensic Triage

I utilized a combination of cloud-based SIEM monitoring and local traffic capture to analyze an active incident. By correlating Wazuh alerts with specific TCP/HTTP streams in a PCAP file, I was able to reconstruct the attacker’s methodology, from initial port scanning to attempted directory traversal.

ComponentValuePurpose
SIEMWazuh CloudCentralized dashboard for real-time alert correlation.
Traffic CapturePCAP (Wireshark)Raw data for deep packet inspection and stream follow.
Log Source/var/log/auth.logAnalyzing SSH brute-force and privilege escalation.
OutcomeIncident ReportDocumented findings and remediation steps.

3. Execution Workflow

  1. Dashboard Monitoring: Identified a spike in “High” severity alerts on the Wazuh Cloud dashboard originating from a single external IP.
  2. PCAP Extraction: Captured raw network traffic (capture.pcap) during the window of the alert to perform granular analysis.
  3. Stream Reconstruction: Followed HTTP and TCP streams in Wireshark to identify the specific payloads used in the attack.
  4. Hardening: Updated host-based firewall rules and implemented Fail2Ban based on the forensic evidence gathered.

4. Forensic Evidence (Log Snippet)

# Wazuh Alert: Multiple Failed SSH Logins
Rule: 5712 (SSHD Brute Force Attempt)
Source IP: 192.168.1.150
User: root, admin, support
Action: Firewalled via active-response

5. Evidence of Work

RESOURCES_NODE_01
Wazuh Dashboard
Caption: Real-time monitoring in Wazuh Cloud showing the correlation of multiple security events and agent health.

Wireshark Analysis
Log Correlation
*Caption: Deep packet inspection (Left) and log correlation (Right) used to identify the specific TTPs of the adversary.*

6. Professional Impact

This project demonstrates a mature Incident Response capability. By successfully bridging the gap between high-level SIEM alerts and low-level packet data, I reduced the “Mean Time to Detection” (MTTD) for network threats. My remediation plan included the deployment of hardened security configurations and automated active-response scripts to neutralize future threats in real-time.