heroui logo

Web Server Potential SQL Injection Request

Elastic Detection Rules

View Source
Summary
This rule monitors web server access logs across multiple web servers to detect potential SQL injection attempts by matching a comprehensive set of payload patterns in URL paths and query strings. It uses url.original and url.query with case-insensitive wildcard matching to identify time-based, error-based, boolean-based, and union-based SQLi techniques across MySQL, PostgreSQL, MSSQL, and Oracle dialects. Patterns include sleep( ), waitfor delay, union select, information_schema queries, extractvalue/updatexml, xp_cmdshell, and other typical SQLi vectors. The rule covers scans typical of automated tooling (sqlmap and peers) and manual exploitation attempts, aiming to reveal or modify backend data or execute commands. It aggregates events from nginx, apache, apache_tomcat, iis, traefik, and zeek web traffic, applying from now-9m to ensure near real-time detection. The rule scores high severity (risk_score 73) and is designed for cross-server web environments with the Elastic License v2.
Categories
  • Web
  • Network
Data Sources
  • Network Traffic
ATT&CK Techniques
  • T1505
  • T1059
  • T1059.004
  • T1071
  • T1595
  • T1595.002
  • T1595.003
  • T1190
Created: 2025-11-19