Security Analysis for Web Server using SIEM and Packet Analyzer
As a Security Analyst, the most important information needed for analysis to protect assets are:
- Log Files
- Network Packets / Traffic Flow (ingress/egress) / (internal/external)
Log Management (SIEM)
Collects the logs from your assets and coverts into a user friendly structure for much better data analysis.Splunk, Sumo Logic, Alienvault and many more are used for data (log) analysis.
Packet Analyzer
The most affected method for Network & Security analysis. Wireshark is the open-source packet analyzer widely used to analysis the traffic flow.
Add IDS which will match the signature matching the traffic (Snort/Suricata).
Web Server Security Analysis:
 |
| Logs and Traffic Flow Structure |
In this analysis, Web server is the asset and log files are being sent to the SIEM for data/log analysis along with that packet analyzer running on the internal interface.
SIEM >>> Sumo logic and Alienvault
Packet Analyzer >>> Wireshark
IDS >>> Snort
Packet Analysis
As a Security Analyst, will be analysis unknown requests on web server or known exploits.
HTTP response codes determines the errors corresponding to the requests which describes if the traffic is malicious or not.
The source ip is scanning unknown pages and response is 404 not found. Since, there are so many unknown requests which determine the traffic is suspicious.
PROFIND request is used for Remote Code Execution.
Attacker IP: 45.40.254.145
 |
| Exploit Attempt |
 |
| http response code |
Conclusion, Remote code execution was attempted from the attacker IP and exploit was unsuccessfully since http response was 404 - Not Found using packet analyzwe.
Great packet analysis done by Manikandan Ramkumar on ct21-Webserver >> Link
In addition, IDS rule match for RCE for the attacker IP
 |
| Snort Rule |
Log/Data Analysis (SIEM)
Overview/Dashboard gives a great summary of the logs collected in a user friendly structure which help to investigate accurately.
Alienvault Analysis
Top host are being listed to priority the analysis.
Once the log is collect the tool convert the log data into EVENTS to analysis.
Attacker IP: 193.112.100.154, Events: 400 errors
 |
| Event |
Further investigation,
Filtering the source IP and finding all the events triggered.
Investigating the Event and verify the logs data. Log indicates the reason for error code 404.
"POST /w.php HTTP/1.1" >> POST request
IP reputation >> Link
External is having bad reputation. Remote Code Execution attempted and unsuccessful.
As a solution, block the external IP on the firewall/End device so that the traffic is reset to the exploit attempts.
Sumo Logic Analysis
Data analysis for http status code will summarize the traffic on the Web Server.
Error code 404 is more compared to others.
Error code 404 is more compared to others.
Filtering the search for error code = 404 with corresponding source ip.
Source IP: 45.40.254.145, most number of counts.
Filtering to Source IP = 45.40.254.145, Time intervals = 5s
External hits are too fast and suspicious.
Messages are the log file, observing the url from above screenshot external ip is scanning for a exploit on admin pages.
Solution: Number of attempts is higher and GET request for admin pages confirm malicious activity from the external IP, block the external IP on the firewall/End device.
In conclusion, working with open source tools and free version softwares with help to develop your security skills, know about exploits and there mitigation which will lead to a best Security Analyst personnel.
