Overview

Reference for preparing and testing a virtual incident response environment using Wazuh, Snort and Volatility. Involves three VMWare machines: Ubuntu Desktop (SIEM), Windows Server 2016 (guinea pig) and Kali (attack box). Covers everything I did to begin remotely monitoring Windows events, file integrity, network traffic, RAM, web application and database logs. Includes writing NIDS and SIEM rules.

Requirements

Recommended for Windows: 7zip, Wireshark and Notepad++.

I used WinMerge for diff tables.

1. Setup Virtual Machines and Operating Systems

Hardware, operating system, network interface and time protocol for each VM.

1.1. Ubuntu Desktop (SIEM) Setup

Download ubuntu-22.04.5-desktop-amd64.iso from https://www.releases.ubuntu.com/22.04/.

Create VM

Run VMWare New Virtual Machine Wizard and choose:

Install Ubuntu Linux

Boot the VM and choose:

When prompted to remove installation media, disconnect the CD Drive and reboot the machine again:

Install security updates when prompted.

Configure Ubuntu Linux

To set a static IP address [1], open a Terminal and enter:

sudo su

apt install net-tools

ifconfig #Note the second interface name

ls /etc/netplan #Note the file name

# Edit /etc/netplan/01-network-manager-all.yaml to add the following lines:

echo -e "  ethernets:\n    ens34:\n      dhcp4: no\n      addresses: [10.10.1.10/24]" >> /etc/netplan/01-network-manager-all.yaml

netplan apply

# To setup NTP server:

apt install ntp -y

echo “server 10.10.1.10” >> /etc/ntp.conf

systemctl restart ntp

# Verify the NTP server is listed:

ntpq -p

1.2. Windows Server Setup

Download Windows_Server_2016_Datacenter_EVAL_en-us_14393_refresh.ISO from https://www.microsoft.com/en-us/evalcenter/download-windows-server-2016.

Create VM

Run VMWare New Virtual Machine Wizard and choose:

Install Windows Server

Boot the VM, install windows and choose:

Log in to the Windows desktop and then disconnect the ISO from the VM CD drive. Allow PC to be discoverable when prompted.

Configure Windows Server

To set the IPv4 method [2], firewall rules [3] and NTP [4] for the SIEM subnet, open PowerShell and run:

ipconfig

Get-NetAdapter #Note the ifIndex number

New-NetIPAddress -InterfaceIndex 2 -IPAddress 10.10.1.20 -PrefixLength 24

# Create firewall rules for inbound and outbound connections on SIEM subnet:

New-NetFirewallRule -DisplayName “SIEM In” -Direction Inbound -Action Allow -RemoteAddress 10.10.1.0/24 -Enabled True

New-NetFirewallRule -DisplayName “SIEM Out” -Direction Outbound -Action Allow -RemoteAddress 10.10.1.0/24 -Enabled True

# Configure NTP to use Ubuntu SIEM as server:

w32tm /config /syncfromflags:manual /manualpeerlist:”10.10.1.10” /reliable:YES /update

Restart-Service w32time

Set-TimeZone -Name “Eastern Standard Time”

# Verify the NTP source is 10.10.1.10:

w32tm /query /status

1.3. Kali Attack Box Setup

Download kali-linux-2025.2-installer-amd64.iso from https://www.kali.org/get-kali/#kali-installer-images.

Create VM

Run VMWare New Virtual Machine Wizard and choose:

Install Kali Linux

Boot the VM and choose:

When prompted to remove installation media after rebooting, disconnect the CD Drive and reboot the machine again.

Configure Kali Linux

Open a Terminal,

# Configure network interfaces:

sudo su

ip addr show #Note the interface names

# Edit /etc/network/interfaces to add these lines:

echo -e "\nauto eth0\niface eth0 inet dhcp\n\nauto eth1\niface eth1 inet static\n\taddress 10.10.1.30\n\tnetmask 255.255.255.0\n" >> /etc/network/interfaces

systemctl restart networking

# Configure NTP to use Ubuntu-SIEM as server in /etc/systemd/timesyncd.conf:

sed -i 's/#NTP=/NTP=10.10.1.10/g' /etc/systemd/timesyncd.conf

# Verify the NTP server is 10.10.1.10:

timedatectl timesync-status

After installing Kali, disconnect the NAT interface to prevent accidentally attacking the wrong network. Verify that all VMs now have synchronized time and can ping each other.

2. Setup Applications

Installing, configuring and testing apps.

2.1. FTP with IIS on Windows Server

On Windows Server, run PowerShell to install and configure FTP [5].

# Install IIS Manager and FTP Server:

Install-WindowsFeature -name Web-Server, Web-FTP-Server -IncludeManagementTools

# Create FTP Site called “IIS-FTP”:

mkdir C:\inetpub\ftproot

New-WebFtpSite -Name “IIS-FTP” -Port 21 -PhysicalPath “C:\inetpub\ftproot”

# Firewall rule for inbound FTP traffic:

New-NetFirewallRule -DisplayName "FTP Port 21" -Direction Inbound -Protocol TCP -Action Allow -LocalPort 21

# Enable unencrypted FTP:

Set-ItemProperty "IIS:\Sites\MyFTPSite" -Name "ftpServer.security.ssl.controlChannelPolicy" -Value 0

Set-ItemProperty "IIS:\Sites\MyFTPSite" -Name "ftpServer.security.ssl.dataChannelPolicy" -Value 0

# Enable basic authentication for FTP:

Set-ItemProperty "IIS:\Sites\MyFTPSite" -Name ftpServer.security.authentication.basicAuthentication.enabled -Value $true

Add-WebConfiguration -PSPath IIS:\ -Filter “/system.ftpServer/security/authorization” -Value @{accessType=”Allow”; users=”*”; permissions=”Read,Write”} -Location “IIS-FTP”

# Restart FTP Site:

Restart-WebItem “IIS:\Sites\IIS-FTP”

Run inetmgr to verify (or make) these changes. Ensure that FTP to 10.10.1.20 as Administrator / Pa$$w0rd works from Kali and Ubuntu:

Default location for IIS logs:

2.2. Vulnerable Web App with XAMPP

On Windows Server, download and run xampp-windows-x64-8.2.12-0-VS16-installer.exe from https://www.apachefriends.org/download.html. After installing, run the XAMPP Control Panel at C:\xampp\xampp-control.exe and start Apache, MySQL.

Default locations for XAMPP logs:

Download/clone DVWA-master from https://github.com/digininja/DVWA [6]. Extract to C:\xampp\htdocs and rename folder to dvwa. Rename C:\xampp\htdocs\dvwa\config\config.inc.php.dist to config.inc.php and edit to set db username and password to root / ’’ :

Left: C:\xampp\htdocs\dvwa\config\config.inc.php.dist
Right: C:\xampp\htdocs\dvwa\config\config.inc.php

Left: Mon Aug 18 14:04:18 2025 Right: Sun Aug 17 21:41:46 2025
Line 19  Line 19 
 $_DVWA[ 'db_database' ] = getenv('DB_DATABASE') ?: 'dvwa';  $_DVWA[ 'db_database' ] = getenv('DB_DATABASE') ?: 'dvwa';
 $_DVWA[ 'db_user' ]     = getenv('DB_USER') ?: 'dvwa';  $_DVWA[ 'db_user' ]     = getenv('DB_USER') ?: 'root';
 $_DVWA[ 'db_password' ] = getenv('DB_PASSWORD') ?: 'p@ssw0rd';  $_DVWA[ 'db_password' ] = getenv('DB_PASSWORD') ?: '';
 $_DVWA[ 'db_port']      = getenv('DB_PORT') ?: '3306';  $_DVWA[ 'db_port']      = getenv('DB_PORT') ?: '3306';

Browse to http://localhost/phpmyadmin/ and create a new database called dvwa.

Browse to http://localhost/dvwa/setup.php and click Create/Reset Database at the page bottom. Log in to DVWA with admin / password, find DVWA Security in the nav panel and set the security level to Low. This is important for simple web app attacks.

Now http://10.10.1.20/dvwa/ can be visited (and attacked) from Kali.

2.3. Wazuh SIEM on Ubuntu Desktop

On Ubuntu SIEM, open a Terminal and install Wazuh [7] :

sudo su

apt install curl

curl -sO https://packages.wazuh.com/4.12/wazuh-install.sh && bash ./wazuh-install.sh -a

# When the installation finishes, note the admin credentials:

# Disable automatic updates for Wazuh (to prevent anything from breaking):

sed -i "s/^deb /#deb /" /etc/apt/sources.list.d/wazuh.list

apt update

# Check the status of Wazuh processes:

systemctl status wazuh-indexer

systemctl status wazuh-dashboard

Browse to https://10.10.1.10 and log in to the Wazuh Web Interface.

2.4. Wazuh Agent on Ubuntu and Windows

On Ubuntu SIEM, browse to https://10.10.1.10 and log in with Wazuh credentials. From the Wazuh overview, click “Deploy new agent”:

Enter the IP of Ubuntu SIEM and copy the command it provides…

On Windows Server,

# Write or paste the Invoke-WebRequest command from Wazuh into Powershell:

Invoke-WebRequest -Uri https://packages.wazuh.com/4.x/windows/wazuh-agent-4.12.0-1.msi -OutFile $env:tmp\wazuh-agent; msiexec.exe /i $env:tmp\wazuh-agent /q WAZUH_MANAGER='10.10.1.10'

# Start Wazuh Agent:

net start WazuhSvc

# Verify the Wazuh Agent is active by running services.msc. Restart the Wazuh Service anytime to reload configurations with:

Restart-Service -Name wazuh

# or

net stop WazuhSvc

net start WazuhSvc

On Ubuntu SIEM, in the Wazuh Web Interface, optionally create a new group and add the agent [8], then edit the group configuration:

Add this code to agent.conf [9][10][11][12][13] :

<!-- Reduce alert flooding from the agent: -->
<client_buffer>
  <disabled>no</disabled>
  <queue_size>100</queue_size>
  <events_per_second>10</events_per_second>
</client_buffer>

<!-- File Integrity Monitoring for XAMPP and select registries: -->
<syscheck>
  <frequency>300</frequency>
  <directories realtime=”yes”>C:\xampp\htdocs\dvwa</directories>
  <ignore>C:\xampp\htdocs\dvwa\database</ignore>
  <windows_registry report_changes=”yes”>HKEY_LOCAL_MACHINE\SYSTEM\Setup</windows_registry>
  <windows_registry report_changes=”yes”>HKEY_USERS\*</windows_registry>
  <registry_ignore>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services</registry_ignore>
</syscheck>

<!-- Collect Snort IDS alerts: -->
<localfile>
  <frequency>30</frequency>
  <log_format>snort-fast</log_format>
  <location>C:\Snort\log\alert.ids</location>
</localfile>

<!-- Apache and MySQL logs: -->
<localfile>
  <frequency>30</frequency>
  <location>C:\xampp\apache\logs\*.log</location>
  <log_format>apache</log_format>
</localfile>
<localfile>
  <frequency>30</frequency>
  <location>C:\xampp\mysql\data\mysql_error.log</location>
  <log_format>mysql_log</log_format>
</localfile>

<!-- IIS logs: -->
<localfile>
  <frequency>30</frequency>
  <location>C:\inetpub\logs\LogFiles\FTPSVC2\*.log</location>
  <log_format>iis</log_format>
</localfile>
<localfile>
  <frequency>30</frequency>
  <location>C:\inetpub\logs\LogFiles\W3SVC1\*.log</location>
  <log_format>iis</log_format>
</localfile>

Optionally, add <only-future-events>no</only-future-events> inside any <localfile> tags to always scan old logs. Thus, it will be unnecessary to generate new events for debugging. When the corresponding alerts appear in the SIEM, return here and set to yes.

On Ubuntu SIEM, configure a higher severity rule to stand out on the main dashboard, based on repeated failed logons. In the Wazuh Web Interface, find Server management > Rules in the left nav panel. Type local_rules into the search and click on the filename:

Add this code inside the tags [14][15] :

<rule id="100300" level="12" frequency="10" timeframe="60" ignore="300">
  <if_matched_sid>60122</if_matched_sid>
  <description>10 logon failures (rule 60122) within 60 seconds</description>
  <group>authentication_failed,brute_force_delay</group>
</rule>

By default, Wazuh-Manager monitors the operating system it is running on and will have already generated some alerts under agent.name:cirsiem-virtual-machine. Disable these scanners (and enable json log retention on line 11) with the following edit to /var/ossec/etc/ossec.conf:

Left: /var/ossec/etc/ossec.conf.original
Right: /var/ossec/etc/ossec.conf

Left: Mon Aug 18 13:33:24 2025 Right: Thu Aug 21 16:40:31 2025
Line 11  Line 11 
     <logall>no</logall>      <logall>no</logall>
     <logall_json>no</logall_json>      <logall_json>yes</logall_json>
     <email_notification>no</email_notification>      <email_notification>no</email_notification>
Line 42  Line 42 
   <rootcheck>    <rootcheck>
     <disabled>no</disabled>      <disabled>yes</disabled>
     <check_files>yes</check_files>      <check_files>yes</check_files>
Line 84  Line 84 
   <wodle name="syscollector">    <wodle name="syscollector">
     <disabled>no</disabled>      <disabled>yes</disabled>
     <interval>1h</interval>      <interval>1h</interval>
Line 101  Line 101 
   <sca>    <sca>
     <enabled>yes</enabled>      <enabled>no</enabled>
     <scan_on_start>yes</scan_on_start>      <scan_on_start>yes</scan_on_start>
Line 108  Line 108 
   <vulnerability-detection>    <vulnerability-detection>
     <enabled>yes</enabled>      <enabled>no</enabled>
     <index-status>yes</index-status>      <index-status>yes</index-status>
Line 179  Line 179 
     <synchronization>      <synchronization>
       <enabled>yes</enabled>        <enabled>no</enabled>
       <interval>5m</interval>        <interval>5m</interval>

Apply the configuration:

systemctl restart wazuh-manager

On Windows Server, the Wazuh Agent seems to restart automagically, but it can be done with PowerShell to pull the new configuration manually:

Restart-Service -Name wazuh

Jump to testing3.1. Wazuh Config and verify this all works.

2.5. Snort NIDS on Windows Server

Download and run npcap-1.83.exe from https://npcap.com. Snort may require Visual C++ Redistributables to run. Anyways I did install them [18]. Download and run Snort_2_9_20_Installer.x64.exe from https://snort.org/downloads. Download and extract snortrules-snapshot-29200.tar.gz with a free account. Unzip to C:\Snort, overwrite everything when prompted [17].

Before configuring, jump to testing 3.2. Snort in Sniffer Mode.

2.5.1. Configure Snort

Create folder C:\Snort\lib\snort_dynamicrules and copy files from C:\Snort\so_rules\precompiled\FC-36\x86-64\2.9.20.0. Modify C:\Snort\etc\snort.conf to run in Windows [19], as below:

Left: C:/Users/Administrator/Documents/snort.conf.original
Right: C:/Snort/etc/snort.conf

Left: Wed Aug 6 13:38:23 2025 Right: Sat Aug 23 01:42:18 2025
Line 44  Line 44 
 # Setup the network addresses you are protecting  # Setup the network addresses you are protecting
 ipvar HOME_NET any  ipvar HOME_NET 10.10.1.20
   
Line 103  Line 103 
 # such as:  c:\snort\rules  # such as:  c:\snort\rules
 var RULE_PATH ../rules  var RULE_PATH C:\Snort\rules
 var SO_RULE_PATH ../so_rules  var SO_RULE_PATH C:\Snort\so_rules
 var PREPROC_RULE_PATH ../preproc_rules  var PREPROC_RULE_PATH C:\Snort\preproc_rules
   
Line 242  Line 242 
 # path to dynamic preprocessor libraries  # path to dynamic preprocessor libraries
 dynamicpreprocessor directory /usr/local/lib/snort_dynamicpreprocessor/  dynamicpreprocessor directory C:\Snort\lib\snort_dynamicpreprocessor
   
 # path to base preprocessor engine  # path to base preprocessor engine
 dynamicengine /usr/local/lib/snort_dynamicengine/libsf_engine.so  dynamicengine C:\Snort\lib\snort_dynamicengine\sf_engine.dll
   
Line 249  Line 249 
 # Set this path to where the compiled *.so binaries are installed  # Set this path to where the compiled *.so binaries are installed
 #dynamicdetection directory /usr/local/lib/snort_dynamicrules  dynamicdetection directory C:\Snort\lib\snort_dynamicrules
   
Line 261  Line 261 
 # Does nothing in IDS mode  # Does nothing in IDS mode
 preprocessor normalize_ip4  #preprocessor normalize_ip4
 preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream  #preprocessor normalize_tcp: block, rsv, pad, urp, req_urg, req_pay, req_urp, ips, ecn stream
 #preprocessor normalize_icmp4  #preprocessor normalize_icmp4
 preprocessor normalize_ip6  #preprocessor normalize_ip6
 #preprocessor normalize_icmp6  #preprocessor normalize_icmp6
Line 289  Line 289 
 # HTTP normalization and anomaly detection.  For more information, see README.http_inspect  # HTTP normalization and anomaly detection.  For more information, see README.http_inspect
 preprocessor http_inspect: global iis_unicode_map unicode.map 1252 compress_depth 65535 decompress_depth 65535  preprocessor http_inspect: global iis_unicode_map C:\Snort\etc\unicode.map 1252 compress_depth 65535 decompress_depth 65535
 preprocessor http_inspect_server: server default \  preprocessor http_inspect_server: server default \
Line 321  Line 321 
     webroot no \      webroot no \
     decompress_swf { deflate lzma } \      #decompress_swf { deflate lzma } \
     decompress_pdf { deflate }      decompress_pdf { deflate }
Line 411  Line 411 
 # Portscan detection.  For more information, see README.sfportscan  # Portscan detection.  For more information, see README.sfportscan
 # preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { low }  preprocessor sfportscan: proto  { all } memcap { 10000000 } sense_level { high } logfile { portscan.log }
   
Line 514  Line 514 
 # Recommended for most installs  # Recommended for most installs
 # output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types  output unified2: filename merged.log, limit 128, nostamp, mpls_event_types, vlan_event_types
   
Line 525  Line 525 
 # output log_tcpdump: tcpdump.log  # output log_tcpdump: tcpdump.log
   output alert_fast: alert.ids
 # metadata reference data.  do not modify these lines  # metadata reference data.  do not modify these lines
 include classification.config  include C:\Snort\etc\classification.config
 include reference.config  include C:\Snort\etc\reference.config
   
Line 715  Line 715 
 # Event thresholding or suppression commands. See threshold.conf  # Event thresholding or suppression commands. See threshold.conf
 include threshold.conf  include C:\Snort\etc\threshold.conf

XSS code is typically injected in HTTP POST data and so won’t appear in the Apache access logs. Fortunately, the web-attacks.rules file in Snort’s snapshot archive is empty, so I got to write one!

On Windows Server, Capture an XSS attack with Wireshark to characterize the packets:

I just want to match the HTTP POST method (byte 66-69) and </script in the content. So, rules to add in C:\Snort\rules\local.rules could be [20][21][26] :

# Detect XSS (in HTTP POST DATA)

alert tcp any any -> $HOME_NET any (msg:”Cross Site Scripting (XSS)”; flags:AP; content:”POST”; content:”%3C%2Fscript”; offset:66; sid:1000005;)

# Detect SYN scan

alert tcp any any -> $HOME_NET any (msg:"SYN Scan"; threshold: type both, track by_src, count 50, seconds 60; flags:S; sid:10000001;)

# Detect UDP scan

alert udp any any -> $HOME_NET any (msg:"UDP Scan"; threshold: type both, track by_src, count 25, seconds 60; sid:10000002;)

# Detect XMAS scan (FIN, PSH, URG)

alert tcp any any -> $HOME_NET any (msg:"XMAS scan"; threshold: type both, track by_src, count 50, seconds 60; flags:FPU; sid:1000003;)

# Detect NULL scan (no flags set)

alert tcp any any -> $HOME_NET any (msg:"NULL scan"; threshold: type both, track by_src, count 50, seconds 60; flags:0; sid:1000004;)

Jump to testing 3.3. Snort in IDS mode.

2.5.2. Snort as a Service

Snort doesn’t signal to the Windows Service Control Manager when it starts successfully and so is eventually terminated, although it functions fine. A common solution is to use Non-Sucking Service Manager (NSSM). Download NSSM from https://nssm.cc/download, extract contents to C:\Program Files\, and run in PowerShell:

cd ‘C:\Program Files\nssm-2.24\win64’

./nssm.exe install Snort

The NSSM GUI will appear, populate the fields:

Make sure Startup Type is set to Automatic. Verify the service details by running services.msc and inspecting “Snort”. Restart the Windows operating system and verify that Wazuh is still getting IDS alerts. Notice that Wazuh noticed that:

2.6. Volatility on Ubuntu

On Ubuntu SIEM,

# Download and install Volatility:

cd /home/cir-siem

apt install python3.10-venv

apt install git

git clone https://github.com/volatilityfoundation/volatility3.git

cd volatility3

python3 -m venv venv && . venv/bin/activate

pip install .

deactivate

# Download symbol table pack for Windows:

wget -o ./volatility3/symbols/windows.zip https://downloads.volatilityfoundation.org/volatility3/symbols/windows.zip

Jump to testing 3.4. Volatility Memory Analysis.

3. Testing

3.1. Wazuh Config

The Wazuh discover tab should be populating with events, otherwise the SIEM is borken:

Some of the alert categories generated by the Windows agent, in wazuh-alerts-* index:

Absence of these alerts indicates a problem in agent.conf or with the Wazuh Agent.

Query the Discover tab with these group names, for instance [16] :

Realtime file integrity:

agent.ip: 10.10.1.20 and syscheck.mode: realtime

General file integrity:

agent.ip: 10.10.1.20 and rule.groups: syscheck

Snort IDS alerts (once Snort is running):

agent.ip: 10.10.1.20 and rule.groups: ids

Just the XMAS scans:

full_log:*xmas*

Wazuh will also alert when log files are tampered with:

Wazuh can already alert for SQL injections, based on the Apache access logs:

3.1.1. SQL Injection

On Windows Server, make sure Apache and MySQL are running in XAMPP.

On Kali Attack Box, browse to http://10.10.1.20/dvwa/vulnerabilities/sqli/ (log in with admin / password). In the User ID field, enter ‘ or 1=1 -- -

On Ubuntu SIEM, check the discover tab for an SQL injection alert.

If an alert does not appear, troubleshoot to identify the problem:

On Windows Server, the file C:\xampp\apache\logs\access.log should contain the SQLi pattern, otherwise there is a problem with Apache.

Files in C:\Program Files (x86)\ossec-agent\logs should reference the Apache access log, otherwise there is a problem with the Wazuh Agent (likely agent.conf).

On Ubuntu SIEM, the file /var/ossec/logs/archives/archives.json should also contain the SQLi pattern, otherwise there is a problem with Wazuh-Manager (likely ossec.conf) [25].

3.1.2. Brute Force Attack

On Kali attack box, perform an FTP brute force attack against Windows Server with Hydra:

hydra -l administrator -P /usr/share/wordlists/dirb/common.txt ftp://10.10.1.20

Let Hydra run for a few seconds, then terminate (Ctrl+C).

On Ubuntu SIEM, there should be a bunch of low-severity “Logon Failure” alerts and one new high-severity alert based on the rule added to local_rules.xml:


Otherwise, On Windows Server, check that FTP is working, capture the attack with Wireshark, use Event Viewer to verify the security logs. The ossec-agent logs should contain:

On Ubuntu SIEM, /var/ossec/logs/archives/archives.json should be full of “Logon Failure”.

Return to 2.5. Snort NIDS.

3.2. Snort in Sniffer Mode

On Windows Server, run Snort showing only IP and TCP/UDP/ICMP headers with PowerShell:

cd C:\Snort\bin

./snort -W #Note the interface index number

./snort -vd -i 2

On Kali attack box, ping Windows Server.

On Windows Server, observe Snort output showing the ping:

Return to 2.5.1. Configure Snort.

3.3. Snort in IDS mode

On Windows Server, activate Snort in IDS mode:

cd C:\Snort\bin

./snort -W #Note the interface index number

./snort -i 2 -l ..\log -c ..\etc\snort.conf

# After a slew of warnings, it should say “Commencing packet processing”:

On Kali attack box, scan the Windows VM:

nmap -sX -p 22-180 10.10.1.20

nmap -sN -p 22-180 10.10.1.20

nmap -sS -p 22-180 10.10.1.20

nmap -sU -p 22-180 10.10.1.20

Check the Wazuh Discover tab for alerts.

If these IDS events are missing from the SIEM, troubleshooting SNORT:

On Windows Server, check C:\Snort\log\alert.ids:

Check the latest files in C:\Program Files(x86)\ossec-agent\logs\ to see what files are being analyzed by the agent [22]. Look for something like:

On Ubuntu SIEM, search /var/ossec/logs/archives.json for the Snort alerts:

3.3.1. Generate XSS Alerts

On Windows Server, make sure Apache and MySQL are running in XAMPP.

On Kali attack box, browse to http://10.10.1.20/dvwa/vulnerabilities/xss_s/ (log in with admin / password). Populate the form with any name and some javascript in the message:

Of course it shows up in the SIEM:

But in case it doesn’t, follow the same chain of logs as with previous Snort troubleshooting. There should be an alert in C:\Snort\log\alert.ids, otherwise Snort is faulty. The Wazuh Agent should log that it’s analyzing alert.ids in C:\Program Files(x86)\ossec-agent\logs\. On Ubuntu, /var/ossec/logs/archives.json should contain the alert if ossec.conf is working correctly:

Return to 2.5.2. Snort as a Service.

3.4. Volatility Memory Analysis

On Windows Server, download Comae-Toolkit-v20230117.zip (DumpIt) from https://www.magnetforensics.com/resources/magnet-dumpit-for-windows/ and extract to C:\DumpIt\. Generate a memory dump in PowerShell, output to IIS FTP root:

C:\DumpIt\x64\DumpIt.exe /O C:\inetpub\ftproot\WIN.dmp

Restart the FTP site before switching VMs, otherwise it will probably botch the next step:

Restart-WebItem “IIS:\Sites\IIS-FTP”

On Ubuntu SIEM, Download the DMP file [23][24] :

cd /home/cir-siem/volatility3

wget --user=administrator --password=’Pa$$w0rd’ ftp://10.10.1.20/WIN.dmp -O WIN.dmp

# Compute hash:

sha256sum WIN.dmp

# Extract artifacts:

python3 -m venv venv && . venv/bin/activate

vol -f WIN.dmp windows.info #Image info

The first time Volatility runs, it needs to build caches, can take a few minutes. More useful commands:

vol -f WIN.dmp windows #List available modules

vol -f WIN.dmp windows.pslist #Running processes

vol -f WIN.dmp windows.cmdline #Command line arguments

vol -f WIN.dmp windows.netscan #Active ports

vol -f WIN.dmp windows.shimcachemem #ShimCache

vol -f WIN.dmp windows.hivelist #List registry hives

Show registry keys:

vol -f WIN.dmp windows.registry.printkey

Use -h to get help with a specific module:

vol -f WIN.dmp windows.registry.printkey -h

Tells us there is a --recurse option:

vol -f WIN.dmp windows.registry.printkey --recurse

Okay that one never stops. :p Here’s a better one. First get the PID of Windows Defender:

vol -f WIN.dmp windows.pslist | grep msmpeng -i

Then, list DLLs used by that PID only:

vol -f WIN.dmp windows.dlllist --pid 2008

P.S. For encrypted FTP traffic, do this: https://learn.microsoft.com/en-us/iis/manage/configuring-security/how-to-set-up-ssl-on-iis.

Appendix A. Credentials

System Username Password
Ubuntu OS cir-siem password
Windows OS administrator Ps$$w0rd
Kali OS kali kali
Wazuh Web Interface admin (auto generated)
MySQL root
Damn Vulnerable Web App admin password

References

[1]
Strakulski, Robert. “How to Install NTP Server in Ubuntu 24.04.” STORDIS Support Portal, Apr. 2025, support.stordis.com/hc/en-us/articles/25855155879325-How-to-install-NTP-server-in-Ubuntu-24-04.
[2]
“NetTCPIP Module.” Microsoft Learn, learn.microsoft.com/en-us/powershell/module/nettcpip/?view=windowsserver2016-ps.
[3]
“New-NetFirewallRule (Netsecurity).” Microsoft Learn, learn.microsoft.com/en-us/powershell/module/netsecurity/new-netfirewallrule?view=windowsserver2016-ps.
[4]
“Configure NTP Server in PowerShell: A Quick Guide.” Powershell Commands, 17 Aug. 2024, powershellcommands.com/powershell-set-ntp-server.
[5]
“IISAdministration Module.” Microsoft Learn, learn.microsoft.com/en-us/powershell/module/iisadministration/?view=windowsserver2016-ps.
[6]
Admin. “How to Install DVWA on Windows Using XAMPP.” TechArry, 11 June 2025, techarry.com/how-to-install-dvwa-on-windows-using-xampp/.
[7]
Wazuh. “Quickstart · Wazuh Documentation.” Wazuh Documentation, documentation.wazuh.com/current/quickstart.html.
[8]
Wazuh. “Grouping Agents - Wazuh Agent Administration.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/agent/agent-management/grouping-agents.html.
[9]
Wazuh. “Centralized Configuration (Agent.Conf).” Wazuh Documentation, documentation.wazuh.com/current/user-manual/reference/centralized-configuration.html.
[10]
Wazuh. “WAZUH Agent Queue.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/agent/agent-management/antiflooding.html.
[11]
Wazuh. “Windows Registry Monitoring.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/capabilities/file-integrity/windows-registry-monitoring.html.
[12]
Wazuh. “Syscheck.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/reference/ossec-conf/syscheck.html.
[13]
Wazuh. “Log Data Collection.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/index.html.
[14]
Wazuh. “Custom Rules.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/ruleset/rules/custom.html.
[15]
Wazuh. “Rules Syntax.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/ruleset/ruleset-xml-syntax/rules.html.
[16]
“Dashboards Query Language (DQL).” OpenSearch Documentation, 18 Aug. 2025, opensearch.org/docs/2.19/dashboards/dql.
[17]
“Snort Users Manual 2.9.16.” SNORT Users Manual 2.9.16, manual-snort-org.s3-website-us-east-1.amazonaws.com/.
[18]
MMOX. “How to Install and Configure Snort on Windows.” LetsDefend, 6 Sept. 2024, letsdefend.io/blog/how-to-install-and-configure-snort-on-windows.
[19]
Huang, Andy. “Step-by-Step Snort IDS Setup Guide for Windows: Configure, Detect, and Analyze Network Intrusions.” Ax3soft, 31 Jan. 2025, www.ids-sax2.com/step-by-step-snort-ids-setup-guide-for-windows-configure-detect-and-analyze-network-intrusions/.
[20]
“Snort 3 Rule Writing Guide.” Alert Logging - Snort 3, docs.snort.org/start/alert_logging.
[21]
Esler, Joel. “Offset, Depth, Distance, and Within.” JoelEsler.Net, 2 Mar. 2010, blog.joelesler.net/2010/03/offset-depth-distance-and-within.html.
[22]
Wazuh. “Configuration for Monitoring Log Files.” Wazuh Documentation, documentation.wazuh.com/current/user-manual/capabilities/log-data-collection/monitoring-log-files.html.
[23]
Pearson, Ashley. “Volatility 3 CheatSheet.” Onfvp, 10 May 2021, blog.onfvp.com/post/volatility-cheatsheet/.
[24]
Agphyowai. “How to Analyze Windows Memory Dumps with Volatility 3.” Medium, 24 Apr. 2025, medium.com/@agphyowai/how-to-analyze-windows-memory-dumps-with-volatility-3-bfaeac48c057.
[25]
“Log Collection and Analysis: Wazuh/Wazuh.” DeepWiki, deepwiki.com/wazuh/wazuh/4.4-log-collection-and-analysis.
[26]
Mookhey, K. K., and Nilesh Burghate. “Detection of SQL Injection and Cross-Site Scripting Attacks.” Blackhat, https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-mookhey/old/bh-us-04-mookhey_whitepaper.pdf.