Wazuh/Ossec for detecting Web App Attacks – Router/Camera Malware Edition

So this past month I have set up the Wazuh fork of Ossec across my infrastructure and have begun to play with its capabilities. Part of my infrastructure includes web servers, and I was happy to see while reviewing the alert feed some nice detection for Web attacks in the Wazuh ruleset. Specifically the rules I’ve been looking at are:

rule.id: "31104" "Common web attack."
rule.id: "31515" "PHPMyAdmin scans (looking for setup.php)."
rule.id : "31516" "Suspicious URL access."

These provide some good idea on standard types of attacks on web applications. So taking these alerts I built a dashboard to look specifically at these.

While getting the dash together I found a number of similar web requests hitting the server:


The pattern matches up with a known vulnerability in AVtech cameras.


Paloalto Research

With some help of Cyber chef we can extract the part of the urls pointing to the malware down loaders.

Now we can easily see where the next stage of the attacks are hosted. From there we can look at avtech and dlink, so some routers being targeted along with the IP cameras.

Looking at those files we find that they are scripts to download the malware meant to be deployed.

Unfortunately I was unable to get the malware directly, but was able to track it down via virustotal and hybrid-analysis.

I was able to get a sample of sefa.arm, but the dlink malware I was not able to get a direct sample. So with this data I added signatures for the down loader scripts and borrowed the sigs from clamAV for blazescan. (Thank you Talos for making it so easy to review the clamAV sigs!)


Now time for the IOC’s

Scanning infrastructure:





User Agent String


Have questions find me on twitter @laskow26.