<![CDATA[This study implements a Wazuh-based Security Information and Event Management (SIEM) prototype to enhance security monitoring for a web application. The architecture uses two VPS instances: a web server as the log source equipped with a Wazuh Agent, and a monitoring server running the Wazuh Manager and Dashboard for event analysis and visualization. The evaluation combines threat hunting and File Integrity Monitoring (FIM) using several test scenarios: OWASP ZAP scanning, XSS, SQL injection (login-form testing and automated sqlmap attacks), and SSH brute force using hydra. The results show that Wazuh successfully detects XSS via rule 31105 (level 6) and sqlmap-based SQL injection via rule 31106 (level 6) because the attack patterns are clearly recorded in the web access logs. SSH brute force is strongly detected by rule 5763 (level 10), indicating repeated failed login attempts. In addition, FIM records file changes such as added and modified files (e.g., rules 554/550); however, it may generate noise when monitoring dynamic directories. The SQL injection attempt through the login form does not produce a specific SQL injection alert, suggesting limitations in log visibility/format and the need for decoder/ruleset tuning. Overall, Wazuh is effective for log-based security monitoring, while detection quality depends on log completeness, rule configuration, and FIM scope.]]>
Copyrights © 2025
