2022 5th International Seminar on Research of Information Technology and Intelligent Systems (ISRITI)

The Analysis of Attacks Against Port 80

Webserver with SIEM Wazuh Using Detection and
OSCAR Methods
1st Tri Suryantoro 2nd Bambang Purnomosidi D.P. 3rd Widyastuti Andriyani
Student, Master in Information Master in Information Technology Master in Information Technology
2022 5th International Seminar on Research of Information Technology and Intelligent Systems (ISRITI) | 978-1-6654-5512-1/22/$31.00 ©2022 IEEE | DOI: 10.1109/ISRITI56927.2022.10052950

Technology Universitas Teknologi Digital Universitas Teknologi Digital

Universitas Teknologi Digital Indonesia Indonesia
Indonesia Yogyakarta, Indonesia Yogyakarta, Indonesia
Yogyakarta, Indonesia [email protected] [email protected]
[email protected]

Abstract—The existence of the internet in the company leads The security hacking technique on port 80 causes hackers
data and information exchange activities easier. The ease to to easily take over the system. This creates openness to access
obtain company data and information which is not accompanied personal data as well as important company data that should
by information security awareness results in the emergence of not be known by others. Hacker is someone who has the
data leaks and lateral movements. Companies are required to ability in programming and computer networks. The rapid
ensure reliable and secure network security to protect development of hacking technology makes hackers smarter
information technology assets from hacking. SIEM assists the in carrying out patterns of hacking activities, exploiting the
companies and security officers to monitor attacks, find weaknesses of ports for personal gain. Seeing this condition
vulnerabilities and analyze attacks. This study applies a
as soon as possible to secure the port and if it is ignored, the
network forensic approach with OSCAR and detection methods
to determine the effectiveness of SIEM wazuh performance
data and information owned by the company can suffer losses
against port 80 attacks on the web server. The attack testing caused by hackers. The webserver has port 80 to distribute
stages of port scanning and http directory scanning, the web request services (Requests) in the form of HTTP protocol
server service still looks normal or no 404 error message is found web pages from clients known as browsers, this is where a
in the browser. The deviation of attack detection in this study is loophole can be infiltrated by a hacker without realizing the
1.402 seconds. The existence of SIEM Wazuh is able to assist webserver owner. It is used as a launch-pad for wider attacks
security officers in monitoring company data security and without being fully aware of the owner or information
securing company IT assets. manager.

Keywords—network security, web server, siem wazuh, lateral Solving security threat problems in the company by
movement, intrusion detection complying with applicable security regulations such as
implementing Vulnerability Assessment, Penetration Testing
I. INTRODUCTION and analyzing attacks, proven to be a guarantor of cyber
security in the company[3]. This study will test port 80 on a
In the current era, the security of company information
web server with SIEM in overcoming data security problems.
technology assets should be protected and guarded from
Monitoring and analyzing data using OSCAR (Obtain
hacking. Data and information can be felt by the company
Information, Strategies, Collect Evidence, Analyze and
and the people in it when the data and information are used
Report), by simplifying it into Attacking and Analysis
as policy directions to make better performance. Data and
according to the network needs[4], to determine the
information have a very close relationship with each other,
effectiveness of SIEM wazuh performance related to data
without data, information cannot be created and without
security against hacker attacks. Besides, this research is
information, data becomes useless. Therefore the protection
expected to help security officers in monitoring IT assets and
of data and information within the company is very
observing attack patterns in real time.
important.
The ease of obtaining data and information which is not II. THEORETICAL REVIEW
accompanied by information security awareness can A. Penetration Testing
stimulate to hacking techniques whose development is
increasingly advanced year after year. Reported in the 2019 Penetration testing is a common practice to actively assess
BSSN Cyber Security Monitoring Report, consecutive data the defenses of a computer network or web server by planning
leaks in the last three years, in March 18, 2019 as many as 13 and executing all possible attacks to find and exploit
million Bukalapak user data, September 18, 2019 as many as vulnerabilities. [5].
7.8 million personal data of Malindo Air passengers, cyber B. Network Security
attack found 117.9 million attacks in the form of trojans, then
6.4 million attacks on DNS servers and 12.5 million attacks Network security is related to the protection of
on port 80[1]. One of the causes of data leaks is information information systems. This action guards against the
security awareness, a research report conducted by Robbi unauthorized intrusion, protects the usability and integrity of
Akraman wrote that information security has an average level the network and data. Cyber attacks can be passive such as
of awareness of 71%, in focus reports for security incidents it port scanning, eavesdropping and encryption [6]. Relevant
has a poor level of awareness, which is 37%[2]. security measures include several security aspects, such as:
Confidentiality, Integrity, Availability, Privacy, Authenticity

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-5512-1/22/$31.00 ©2022 IEEE 1
and Trustworthiness, Non-Repudiation, Accountability and G. Analysis Equation
Auditability. [7] The data analysis in this study, observing the results of
C. Webserver the SIEM wazuh response focused on the timestamp.
Subsequently, the obtained timestamp is calculated to find the
Web server is a software which is on the server, functions
standard deviation value by applying the equation below.
to receive requests in the form of web pages via the http or
https protocol from the client (browser) and sends back
(response) in the form of web pages which are generally in ∑
∑
the form of html tags. The web server function not only (1)
processes data but can also send data in the form of photo and
video files on client request [5].
The following is the description of the equation for
D. Lateral Movement calculating the standard deviation of the attack data recorded
Lateral movement is a technique applied by hackers, after by Siem.

∑
compromising with the aim of extending access to the hacked
host or application. The main objective of this technique is to The amount of attack data
access valuable and sensitive information that silently i-th attack frequency
remains undetected for as long as possible, and moves The middle value of the i-th attack
literally by accessing more sensitive systems and data. SIEM Mean or average value
is suitable for detecting cyber attacks, profiling activity or
accurately detecting anomalies related to lateral movement, III. METHODOLOGY.
the result of this technique is that warnings in SIEM will This research stage is testing the web server by observing
increase too much[8]. The general stages of lateral movement the network existing, attacks on the network environment,
include 3 things, namely reconnaissance, credential/privilege network forensics and data analysis, using the oscar method,
gathering (collecting credentials/access rights), and gaining which is represented in Figure I of the OSCAR methodology.
[9].
E. SIEM Wazuh
Security Information and Event Management (SIEM) is a
technology which can detect various threats and incidents
from security by collecting real-time logs and analyzing
security history logs from various types of logs originating
from various data sources on different devices [10]. SIEM
wazuh, an open source tool with main functions as host-based
intrusion detection, log analysis, integrity check, rootkit
detection, time-based alert and active response. SIEM wazuh
provides deeper security visibility into an infrastructure by
monitoring hosts in the operating system and application FIG I. OSCAR Methodology
levels [11]. SIEM wazuh monitors configuration files to
ensure they comply with security policies, standards, or
Figure I representation of the OSCAR methodology in
system guidelines as per the Security Framework. Agent
this study is described as follows [7].
wazuh performs periodic scans to detect applications known
to be vulnerable, or are not securely configured. This diverse
set of capabilities is provided by integrating OSSEC, a. Obtain Information, look for information that supports
OpenSCAP and Elastic Stack [11]. OSSEC is an open source the forensic process, all information related to the
HIDS. This software performs log analysis, file integrity forensic investigation process, such as the shape of the
checking, policy monitoring, rootkit detection, real-time network topology, what attacks occur on the network
alerting and active response [12]. and the network environment.
b. Strategize, planning investigations in order that
F. Detection investigators work efficiently. Investigators prioritize
The intrusion detection system applies several methods of what objects can be used as evidence, this process also
signature-based detection, statistical anomaly-based determines how the process of handling evidence is
detection, and stateful protocol analysis. Anomaly-based carried out.
detection systems display the normal behavior of the system c. Collect Evidence, gather all sorts of information
in a given model. Any other activity that does not conform to which becomes evidence in the investigation such as
this approved model is considered abnormal and is packet capture, logs, and all evidence that leads to
warned[13]. Processes and methodologies recommended in incidents.
the book Road Map for Digital Forensic Research are Obtain d. Analyze, from the results of prioritizing evidence,
Information, Strategize, Collect Evidence, Analyze, Report. acquiring evidence in the strategic stage and collecting
evidence from each source, an analysis of the evidence
is then carried out.
e. Report, all kinds of findings in the analysis process as
reporting and documentation

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
2
 SIEM wazuh, sniffer software and collect evidence.
Representation of attack scenarios and data acquisition flow,
A. Network Existing Observation
presented in Figure III Attack and data acquisition scenarios.
The research stage is in observing the existing network
which will be applied for simulation of attack testing, as a
trigger for the SIEM response. The output of observing the
existing network in this study is to construct a map of the
attack scheme. Testing the attack to port 80 on the web server
is represented in Figure II Schematic of attack on port 80 web
servers. Afterward to support this research, utilize the devices
and equipment represented in Table I Hardware and software
requirements.

FIG III. Attack and data acquisition scenarios

In Fig III, the attack scenario and data acquisition are carried
out according to the following scenario, the hacker performs
a port scanning attack using the kalilinux tools Nmap
software to the target web server with the aim of port 80,
obtaining this port is to gain deeper access or an attacker has
been on the privilege escalation stage[15], after the hacker
found the port available, then simultaneously taken and
Figure II. Schematic of attack on port 80 web server carried out observations on SIEM wazuh, dashboard sniffer,
web server and collect evidence in addition to observe SIEM
wazuh logs, packet capture sniffer data and web server log
TABLE I. HARDWARE AND SOFTWARE REQUIREMENTS data.
Hardware Software
D. Attack Data Analysis
a) XCP-ng Virtualization Platform The analysis process of this research follows the OSCAR
Server HPE ProLiant ML150
Gen9, RAM 32G HDD 1T, b) OS CentOS 7 methodology, by the OSCAR methodology applied in this
12Core, Intel(R) Xeon(R) c) Kalilinux OS versi 2022.2 study, namely attacking, collecting evidence and analysis.
CPU E5-2620 v3 @ 2.40GHz d) Apache httpd 2.4.6 & PHP 5.4.16 The summary representation of attacks against the
Speed: 2397 MHz e) Metasploit methodology used is presented in Table III Summary of
f) Colasoft capsa sniffer versi 11 SIEM recognition attacks.

TABLE III. SUMMARY OF SIEM RECOGNITION ATTACKS

B. Network Environment Attack
SIEM Response Webserver
The stage after observing the existing network which Module
Response
includes the preparation and configuration of hardware and Webserver
auxiliary/scanner/http/ SIEM response
software, followed by an attack is carried out on port 80 on response
dir_scanner description
the web server. The attacks carried out in this study are description
attacks in the form of reconnaissance using nmap tools and
exploit scanning modules[14]. The equipment for this attack IV. DISCUSSION
stage is presented in Table II. Reconnaissance attack
equipment. Analysis and discussion of the research on observations
of existing networks, network environment attacks,
TABLE II. RECONNAISSANCE ATTACK EQUIPMENT implementation of attack scenarios and analysis of attack data
are described below.
N
Tools Modul
o A. Network Existing Observation
1 Nmap version 7.92 Scanner
The results of the observation process for the existing
2 Metasploit-framework auxiliary/scanner/http/files_dir
network obtained that the IP gateway network is
192.168.18.1 and the subnet network segment is
C. Attack Scenario 255.255.255.0 or segment 24. The data representation of the
observation process is illustrated in Table IV. Data for the
In this study, an attack scenario process was constructed, existing network IP segment and for data capture is presented
aiming to clarify how in the early stages hackers carried out in Figure IV. Capture the existing network segment.
attacks and whether the attack process could be detected by

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
3
 TABLE IV. DATA FOR THE EXISTING NEWTORK IP SEGMENT

Network IP Network
Wireless Gateway 192.168.18.1
IP Dynamic 192.168.18.0/24

Figure IV. Capture the existing network segment

B. Network Environment Attack

1) Nmap
Testing the attack using nmap is known that the web Figure VII. SIEM wazuh text data
server position has an IP of 192.168.18.62, and in the
process of scanning the port on the server, port 80 is found Subsequently, the attack data for monitoring the attack log on
in a state of open or vulnerability. The scanning process port 80 on the web server, error code 404 was observed. The
with the nmap tool is represented in Figure V. The nmap representation of the web server log can be seen in Figure
attack test data. VIII. The attack log is for observing port 80 web servers.
Moreover, the observation of attack packets is observed in
packet capture sniffer software which is represented in Figure
IX packet capture visualization.

Figure V. The nmap attack test data

2) auxiliary/scanner/http/files_dir
Testing the attack to identify the presence of a
directory (http directory scanner), utilizing the
metasploit-framework tool with the
auxiliary/scanner/http/files_dir module with the target
network port 80, obtained SIEM wazuh responds in the
form of graphic and text visualizations. Graphic
Figure. VIII. The attack log for observing port 80 web server
visualization represented in Figure VI Compilation of
SIEM wazuh visualization

Figure IX. Packet capture visualization

Observations from the attacker or hacker point of view, two

Figure VI. Compilation of SIEM wazuh visualization directories were detected, called codes 200 and 302. The
acquisition data is represented in Figure X. Hacker attack logs
SIEM wazuh response observation data is represented in target port 80 web servers.
Figure VII. SIEM wazuh text data.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
4
 1
Aug 2, 2022 @ 22:53:33.432 30
1
1
Aug 2, 2022 @ 22:53:33.462 26
2
1
Aug 2, 2022 @ 22:53:33.492 26
3
1
Aug 2, 2022 @ 22:53:33.522 26
4
1
Aug 2, 2022 @ 22:53:33.553 26
5
1
Aug 2, 2022 @ 22:53:33.583 26
Figure X. Hacker attack logs target port 80 web servers. 6
1
Summary of network environment attacks for http directory Aug 2, 2022 @ 22:53:33.613 26
7
scanner attack types using the 1
auxiliary/scanner/http/dir_scanner module and web server Aug 2, 2022 @ 22:53:33.644 26
8
port vulnerability scanning, represented in Table V. 1
Summary data of SIEM recognition attacks and Table VI. Aug 2, 2022 @ 22:53:33.674 26
9
Correlation data of attacks and SIEM wazuh 2
Aug 2, 2022 @ 22:53:33.704 26
TABLE V. SUMMARY DATA OF SIEM RECOGNITION ATTACKS
0
2
Aug 2, 2022 @ 22:53:33.737 23
SIEM Response Webserver Response 1
SIEM Wazuh responds the The webserver visualization 2
Aug 2, 2022 @ 22:53:33.764 26
visualizations in the form of remain looks normal, does not 2
graphics and text to a webserver display the website page is not
2
error code 404 notification available (error code 404) Aug 2, 2022 @ 22:53:33.795 28
3
C. Data Attack Analysis 2
Aug 2, 2022 @ 22:53:33.825 26
SIEM Wazuh data acquisition analysis is the standard 4
deviation value of the attack. The standard deviation value is 2
Aug 2, 2022 @ 22:53:33.855 26
obtained by processing Figure VII data using equation 1. 5
The duration of the attack is obtained by calculating the end 2
Aug 2, 2022 @ 22:53:33.885 26
time of the attack minus the initial time of each attack time 6
detected or recorded by SIEM wazuh. Then for the SIEM 2
Aug 2, 2022 @ 22:53:33.915 26
description data obtained from the SIEM rule description. 7
Moreover, for the SIEM detection time column, it is 2
Aug 2, 2022 @ 22:53:33.945 26
obtained from the SIEM time attribute in figure VII. In this 8
study, the standard deviation value of the attack was 1.402 2
Aug 2, 2022 @ 22:53:33.974 26
seconds. This value process was obtained from 30 attacks 9
from detected attacks by SIEM. The recapitulation of the 3
Aug 2, 2022 @ 22:53:34.007 26
calculation of the standard deviation of the attack is 0
represented in Table VI. The standard deviation STDDEV 1,402
recapitulation of the attack in the reconnaissance stage.
V. CONCLUSSION
TABLE VI. THE STANDARD DEVIATION RECAPITULATION OF THE
ATTACK IN THE RECONNAISSANCE STAGE
A. Conclussion
SIEM
From the conducted research, it can be concluded that the
N Detection Time of SIEM Attack Duration web server service still seem to be normal or there is no 404
Descriptio
o Wazuh (second)
n error message in the browser when the attack occurs. The
1 Aug 2, 2022 @ 22:53:33.129 25 application of the detection method and OSCAR is able to
2 Aug 2, 2022 @ 22:53:33.159 30 detect an attack on port 80 of the web server with an
3 Aug 2, 2022 @ 22:53:33.189 25 indication of a notification in SIEM wazuh. The results of the
analysis in the data acquisition process, the standard
4 Aug 2, 2022 @ 22:53:33.220 25
deviation value of the attack time are 1.402 seconds. The
5 Aug 2, 2022 @ 22:53:33.250 26 Web server lower the value of the standard deviation, the closer will be
6 Aug 2, 2022 @ 22:53:33.280 26 400 error
code
to the average. Whereas, if the value of the standard deviation
7 Aug 2, 2022 @ 22:53:33.311 26 is higher, it means the wider the range of variation in the
8 Aug 2, 2022 @ 22:53:33.341 26 attack data will occur. Based on security testing of Port 80 or
9 Aug 2, 2022 @ 22:53:33.372 26 Service HTTP (Hyper Text Transfer Protocol). The existence
1 of the results of the vulnerabilities obtained and the attacks
Aug 2, 2022 @ 22:53:33.405 23 that occur, can threaten the security of data and information
0
if not corrected.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
5
B. Suggestion
The recommended repair solution is system
administrators should harden the web server system to avoid
system vulnerabilities and minimize the impact of attacks.
Optimization of the security officer's duties to observe each
SIEM notification needs to be carried out regularly, using a
stable operating system and kernel, system updates and
upgrades, and regular data backups. Research conducted on
security evaluation on port 80, in the future can be developed
in the form of port 80 security testing using Hacking
Methodology including Reconnaissance, Enumeration,
Exploitation, Privilege Escalation, Post Exploitation,
Covering Tracks and Report Writing.
REFERENCES
[1] Pusat Operasi Keamanan Siber Nasional BSSN, “Indonesia Cyber
Security Monitoring Report 2019,” 2020. [Online]. Available:
https://cloud.bssn.go.id/s/nM3mDzCkgycRx4S/download
[2] R. Akraman, C. Candiwan, and Y. Priyadi, “Pengukuran
Kesadaran Keamanan Informasi Dan Privasi Pada Pengguna
Smartphone Android Di Indonesia,” J. Sist. Inf. Bisnis, vol. 8, no.
2, p. 115, 2018, doi: 10.21456/vol8iss2pp115-122.
[3] R. Sahtyawan, “Penerapan Zero Entry Hacking Didalam Security
Misconfiguration Pada Vapt (Vulnerability Assessment and
Penetration Testing),” J. Inf. Syst. Manag., vol. 1, no. 1, pp. 18–
22, 2019, doi: 10.24076/joism.2019v1i1.18.
[4] F. Paramita, O. Alvina, R. E. Sentia, and A. Kurniawan, “Analisis
Unauthorized Access Point Menggunakan Teknik Network
Forensics,” J. Telemat., vol. 14, no. 2, pp. 63–72, 2021.
[5] F. Fachri, A. Fadlil, and I. Riadi, “Analisis Keamanan Webserver
menggunakan Penetration Test,” J. Inform., vol. 8, no. 2, pp. 183–
190, 2021, doi: 10.31294/ji.v8i2.10854.
[6] I. Priyadarshini, “Introduction On Cybersecurity,” in Cyber
Security in Parallel and Distributed Computing Concept,
Techniques, Applications and Case studies, 2019, no. March, pp.
3–37. doi: 10.1002/9781119488330.ch6.
[7] C. Arfanudin, B. Sugiantoro, and Y. Prayudi, “Analisis Serangan
Router Dengan Security Information and Event Management Dan
Implikasinya Pada Indeks Keamanan Informasi,” CyberSecurity
dan Forensik Digit., vol. 2, no. 1, pp. 1–7, 2019.
[8] Palo Alto Networks, “What is lateral movement in cyber
security?,” 2022.
https://www.paloaltonetworks.com/cyberpedia/what-is-lateral-
movement (accessed Jul. 26, 2022).
[9] crowdstrike.com, “Lateral Movement,” 2022.
https://www.crowdstrike.com/cybersecurity-101/lateral-
movement/ (accessed Jul. 26, 2022).
[10] W. Abidian, “Security Information and Event Management ( Studi
Kasus : Jaringan Uii ) ( Studi Kasus : Jaringan Uii ),” Universitas
Islam Indonesia, 2021. [Online]. Available:
https://dspace.uii.ac.id/handle/123456789/29642
[11] M. D. Pratama, F. Nova, and D. Prayama, “Wazuh sebagai Log
Event Management dan Deteksi Celah Keamanan pada Server dari
Serangan Dos,” vol. 3, no. 1. pp. 1–7, 2022.
[12] M. Syani and A. M. Ropi, “Analisis Dan Implementasi Network
Security System Menggunakan Teknik Host-Based Intrusion
Detection System (Hids) Berbasis Cloud Computing,” Semin. Nas.
Telekomun. dan Inform. (SELISIK 2018), no. September, p. 2,
2018.
[13] S. M. Zeinali, “Analysis of Security Information and Event
Management ( Siem ) Evasion an Detection Methods,” Tallinn
University of Technology, 2016.
[14] N. I. Aspriantama, “Pengujian Keamanan Sistem Informasi Uajy
Menggunakan Penetration Testing,” 2021, [Online]. Available:
http://e-journal.uajy.ac.id/id/eprint/24753
[15] I. Syarifudin, “Pentesting dan Analisis Keamanan Web Paud
Dikmas,” Pentesting Dan Anal. Keamanan Web Paud Dikmas, no.
April, p. 2, 2018.

Authorized licensed use limited to: Universitas Indonesia. Downloaded on November 09,2024 at 06:42:04 UTC from IEEE Xplore. Restrictions apply.
6