
Summary
This detection rule identifies potential SQL injection attack attempts by monitoring SQL error messages that indicate improper query construction. These messages include common SQL syntax errors like 'quoted string not properly terminated' and 'You have an error in your SQL syntax,' which are often indicative of probing activities trying to exploit vulnerable SQL backend systems. By analyzing the application error logs at the ERROR level and higher, the rule searches for a specific set of keywords that correlate with known errors that attackers may deliberately trigger to gather information about database structure or to test for vulnerabilities. This rule is crucial for early detection of attempted SQL injection attacks, allowing for timely defensive measures. It is essential, however, to be aware of potential false positives, such as benign syntax errors that can occur in safely-handled dynamic SQL queries.
Categories
- Web
- Application
- Database
Data Sources
- Application Log
Created: 2017-11-27