A beginner-friendly guide to Wazuh and Wireshark β with AI as your study partner every step of the way.
A free, open-source Security Information and Event Management (SIEM) platform. It watches your computers for suspicious activity, tracks file changes, and alerts you when something looks wrong.
SIEM Β· Log AnalysisThe world's most popular network packet analyzer. It lets you see every piece of data flowing across your network in real time β like an X-ray for your internet traffic.
Packet Analysis Β· ProtocolsClaude, ChatGPT, and Gemini act as your personal tutors. You can paste alerts, logs, or packet captures and ask "what does this mean?" in plain English.
Claude Β· ChatGPT Β· GeminiHow These Tools Work Together
By the end of this lesson, students will be able to:
| Section | Topic | Duration | Tools |
|---|---|---|---|
| 1 | Overview & Tool Introduction | 15 min | β |
| 2 | How to Use AI as a Study Partner | 20 min | Claude / ChatGPT / Gemini |
| 3 | Wazuh Dashboard Basics | 30 min | Wazuh |
| 4 | File Integrity Monitoring + VirusTotal | 30 min | Wazuh + VirusTotal |
| 5 | Reading Logs & Alerts | 25 min | Wazuh |
| 6 | Wireshark Interface & Capturing | 30 min | Wireshark |
| 7 | Network Protocols Deep Dive | 35 min | Wireshark |
| 8 | Real-World Scenarios | 30 min | Both + AI |
| 9 | Knowledge Check Quiz | 15 min | β |
Copy these prompt templates and fill in your actual output from Wazuh or Wireshark:
I'm a cybersecurity student using Wazuh for the first time. I just got this alert and I don't understand what it means. Can you explain it in simple terms and tell me if it's something to be concerned about? [paste your alert here]
I'm looking at this Wireshark packet capture and I can see traffic I don't recognize. Can you explain what this protocol is doing and whether this looks normal for a home or school network? Protocol: DNS Destination: 8.8.8.8 Info: Standard query 0x1234 A google.com
Walk me through, step by step, how File Integrity Monitoring works in Wazuh. I'm a complete beginner. Use an analogy to help me understand the concept before getting technical.
I found this in my Wireshark capture. Can you tell me: 1. What protocol this is 2. What it's doing 3. Whether this is suspicious 4. What filter I should use to see more of this type of traffic [paste packet info here]
| AI Tool | Strength for Cyber Learning | Best For | Limit |
|---|---|---|---|
| Claude (Anthropic) | Detailed, nuanced explanations with good context awareness | Analyzing logs, understanding concepts deeply | No real-time browsing by default |
| ChatGPT (OpenAI) | Very large knowledge base, good code examples | Configuration help, scripting, step-by-step guides | Can confidently give wrong answers |
| Gemini (Google) | Integrates with Google search for current info | Looking up current CVEs, recent threats | Sometimes less detailed on niche tools |
The brain of the operation. It receives data from agents, processes alerts, and applies security rules. Usually runs on a Linux server.
Central ServerA small program installed on each computer you want to monitor (Windows, Linux, or Mac). It watches the local system and sends events to the manager.
Installed on EndpointsThe web interface you use to view everything. See real-time alerts, browse logs, check compliance, and investigate incidents β all in one place.
Web UIHere's a simulation of what a Wazuh alerts view looks like:
| Level | Severity | Example | Action |
|---|---|---|---|
| 1β3 | Informational | Successful login, normal file access | Monitor, no immediate action |
| 4β6 | Low | Multiple failed logins, unusual process | Log and review when convenient |
| 7β11 | Medium | File added to monitored folder, policy violation | Investigate within same day |
| 12β15 | High / Critical | Malware detected, rootkit found | Respond immediately |
I'm new to Wazuh. I see an alert that says "Rule 554 - File added to the system" with a severity level of 7. Can you explain: 1. What this rule is detecting 2. Why it matters for security 3. What I should look at next in the dashboard
Imagine you have a very important filing cabinet. FIM is like having a guard who memorizes every folder and document in that cabinet. The moment anything is added, changed, or deleted β the guard immediately tells you.
A new file appears in a monitored directory. Could be legitimate software β or malware being installed quietly.
Rule 554An existing file's contents, permissions, or ownership changed. Critical system files should rarely change unexpectedly.
Rule 550A file was removed from the monitored directory. Could indicate an attacker covering their tracks.
Rule 553FIM β VirusTotal Workflow
A hash is like a fingerprint for a file. Even if you rename a virus "homework.pdf", its hash stays the same. VirusTotal has a database of millions of known malware hashes.
When VirusTotal finds a match, here's what the alert looks like in Wazuh's log file:
I got a Wazuh alert showing a file scored 45/72 on VirusTotal. Is that definitely malware? What should I do next? Can a legitimate file ever get false positives on VirusTotal? Explain for a beginner.
This is the key configuration that enables VirusTotal in Wazuh. You don't need to memorize it β use AI to help you understand each line.
| File Path | Contains | When to Check It |
|---|---|---|
| /var/ossec/logs/alerts/alerts.log | All triggered security alerts | Primary file for incident investigation |
| /var/ossec/logs/ossec.log | Wazuh system events and errors | When Wazuh itself has a problem |
| /var/ossec/logs/integrations.log | VirusTotal and other integration results | After enabling external integrations |
| /var/ossec/logs/active-responses.log | Automatic response actions taken | Verify automatic threat removal worked |
Let's break down a real Wazuh alert entry piece by piece:
A brute force attack tries many passwords quickly. In logs you'll see many "authentication failure" entries from the same IP in a short time window.
Wazuh correlates these failures and fires a single high-severity alert, which is much easier to spot than reading thousands of individual log lines.
When a critical system file changes unexpectedly, it could mean an attacker modified it. FIM captures the "before and after" state of the file.
The /etc/passwd file controls user accounts on Linux. If this changes without a known reason, it's a major red flag.
Web server logs show incoming HTTP requests. SQL injection attacks include database code in the URL or form fields, hoping to trick the server.
The string 1' OR '1'='1 is classic SQL injection. Wazuh's built-in rules automatically detect and alert on these patterns.
I found this pattern in my Wazuh logs β many failed SSH logins from the same IP address within seconds. Can you: 1. Explain what type of attack this is 2. Tell me how Wazuh detects it 3. Suggest what I should do to protect the server 4. Explain what "brute force" means in simple terms
When you send a large document over the internet, it gets broken into small pieces called packets. Each packet is like an envelope β it has a "from" address (source IP), a "to" address (destination IP), and some content. Wireshark lets you open and read every one of those envelopes.
Here's a simulation of Wireshark with real packet data. Click on a row to see packet details.
Every captured packet in order. Color-coded by protocol. This is your timeline of network events.
Drill down into a selected packet. See each layer of the network stack β Ethernet β IP β TCP β Application.
The raw hex and ASCII data of the packet. This is exactly what was on the wire.
| Color | Protocol / Type | What It Means |
|---|---|---|
| β Light Purple | TCP | Generic TCP connection traffic |
| β Light Blue | UDP | UDP traffic (DNS, streaming, VoIP) |
| β Light Green | HTTP | Unencrypted web traffic |
| β Yellow | ARP / ICMP | Network control messages, ping |
| β Black/Red | Errors | Packet errors, TCP problems |
I just opened Wireshark for the first time and I'm seeing hundreds of packets every second. I'm overwhelmed. Can you: 1. Explain what a "packet" is in simple terms 2. Tell me the most important 3-4 things to look at as a beginner 3. Suggest the best first filter to apply to reduce the noise 4. Explain what the different colors mean
Analogy: DNS is the internet's phone book. You type "google.com" β DNS translates that to an IP address like 142.250.80.14 so your computer knows where to go.
Security note: Unusually long domain names or high volumes of DNS requests can indicate DNS tunneling β a way attackers hide data exfiltration inside DNS packets.
Analogy: HTTP is how your browser orders a webpage. It sends a "GET" request ("give me this page") and the server sends back the content. HTTP is unencrypted β anyone watching can read it.
Security note: In Wireshark, you can right-click any HTTP packet β "Follow TCP Stream" to see the entire conversation, including usernames and passwords sent over unencrypted HTTP.
Analogy: TLS is like putting your HTTP conversation inside a locked box. You can see packets are being sent, but their contents are encrypted β Wireshark shows "Application Data" instead of readable text.
Key concept: HTTPS = HTTP + TLS. The padlock in your browser means traffic is encrypted. Security analysts look for connections using old TLS versions (TLS 1.0/1.1) which have known vulnerabilities.
Analogy: TCP is like a phone call β before you talk, you establish a connection. It guarantees everything gets delivered in order, and asks for missing pieces to be re-sent.
Security note: If Wireshark shows many SYN packets to different ports from one source, that's a port scan β an attacker mapping out your open services.
Analogy: ICMP ping is like knocking on a door to see if anyone's home. "Are you there?" β "Yes, I'm here!" It's used to test network connectivity.
These are the filters you'll use most often as a beginner. Type them in the filter bar at the top of Wireshark:
I'm using Wireshark and I found this packet: Source: 192.168.1.100 Destination: 8.8.8.8 Protocol: DNS Length: 847 bytes Info: Standard query TXT "aHR0cDovL21hbHdhcmUuY29t..." This seems unusual to me. Can you explain what DNS TXT records are used for, why a 847-byte DNS query is suspicious, and what attack this might indicate?
The Situation: A student at a school downloads a file called "free_game_crack.exe" from an unknown website. Minutes later, Wazuh fires an alert.
Don't panic. The alert means Wazuh caught it β the file is flagged but may not have run yet.
Ask AI: "I got this Wazuh alert: [paste alert]. The file scored 58/72 on VirusTotal. What should I do immediately? Step by step, please."
Isolate the machine if possible β disconnect it from the network to prevent any potential spread.
Check if it ran: Look in Wazuh for process creation events around the same time. Ask AI: "How do I check in Wazuh if a file was executed?"
Use Wireshark to check if that computer made any unexpected outbound connections after the download.
Document everything β time, file name, hash, what actions you took. This is an incident report.
The Situation: A student notices their internet feels slow. They open Wireshark and notice one computer is sending large amounts of data outbound to an unknown IP address at 3 AM.
Note the unknown IP: 185.220.101.45 β write it down.
Ask AI: "I'm seeing a computer on my network sending 1.2 GB to IP 185.220.101.45 at 3 AM. What could cause this? Is this suspicious? What questions should I ask?"
Look up the IP using a free tool like AbuseIPDB or VirusTotal's IP lookup. Ask AI how to do this.
Follow the TCP stream in Wireshark: Right-click a packet β Follow β TCP Stream. This shows the full conversation.
Check Wazuh for any alerts on that same computer at the same time β any unauthorized process starting?
Correlation: This pattern (large outbound transfers at off-hours to foreign IPs) is a classic indicator of data exfiltration.
The Situation: Wazuh fires a medium-severity alert. Someone is trying to guess the SSH password for a Linux server over and over.
I got this Wazuh brute force alert on my SSH server. An IP in Russia tried 47 passwords in 30 seconds. My server is online and I'm worried. Can you: 1. Explain what a brute force attack is 2. Tell me if my server is already compromised 3. Give me beginner-friendly steps to block this attacker 4. Explain what "fail2ban" is and if I need it
Check if they succeeded: In Wazuh logs, look for a "Successful SSH login" from that IP shortly after the failed attempts.
Verify with Wireshark: Apply filter tcp.port == 22 and ip.addr == 203.0.113.47 β did any connection stay established?
Block the IP: AI can walk you through blocking an IP on Linux with ufw or on Windows with the firewall.
Long-term fix: Ask AI to explain how to disable password SSH login and use key-based authentication instead.