Skip to content

[New Rule] Web Server Potential SQL Injection Request #5342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 16 commits into
base: main
Choose a base branch
from
+124 −0
Open

[New Rule] Web Server Potential SQL Injection Request #5342

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
61bb69b
[New Rule] Web Server Potential SQL Injection Request
Aegrah Nov 19, 2025
2392fc0
++
Aegrah Nov 19, 2025
60e5264
Update persistence_web_server_potential_sql_injection.toml
Aegrah Nov 24, 2025
43c7258
Convert to BBR
Aegrah Nov 24, 2025
79ebb58
Update persistence_web_server_potential_sql_injection.toml
Aegrah Nov 24, 2025
93be535
Update persistence_web_server_potential_sql_injection.toml
Aegrah Nov 24, 2025
dd48a35
Merge branch 'main' into new-rule-potential-sqi-payload
terrancedejesus Nov 24, 2025
90e2739
Merge branch 'main' into new-rule-potential-sqi-payload
terrancedejesus Nov 24, 2025
ab08249
adding missing tags
terrancedejesus Nov 24, 2025
9aface7
Merge branch 'main' into new-rule-potential-sqi-payload
terrancedejesus Nov 24, 2025
bdbb57c
Merge branch 'main' into new-rule-potential-sqi-payload
terrancedejesus Nov 24, 2025
90ccbee
Add right tag
shashank-elastic Nov 24, 2025
8782ba2
Merge branch 'main' into new-rule-potential-sqi-payload
shashank-elastic Nov 24, 2025
0a3ad36
Add network_traffic manifest and schema
shashank-elastic Nov 24, 2025
a4d29db
Merge branch 'main' into new-rule-potential-sqi-payload
terrancedejesus Nov 24, 2025
7ab5a14
Refine SQL injection rule and log sources
Aegrah Dec 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified detection_rules/etc/integration-manifests.json.gz
View file
Open in desktop
Binary file not shown.
Binary file modified detection_rules/etc/integration-schemas.json.gz
View file
Open in desktop
Binary file not shown.
124 changes: 124 additions & 0 deletions rules_building_block/persistence_web_server_potential_sql_injection.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,124 @@
[metadata]
bypass_bbr_timing = true
creation_date = "2025/11/19"
integration = ["nginx", "apache", "apache_tomcat", "iis"]
maturity = "production"
updated_date = "2025/11/19"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
This rule detects potential SQL injection attempts in web server requests by identifying common SQL injection patterns
in URLs. Such activity may indicate reconnaissance or exploitation attempts by attackers trying to manipulate backend
databases or extract sensitive information.
"""
from = "now-9m"
index = [
"logs-nginx.access-*",
"logs-apache.access-*",
"logs-apache_tomcat.access-*",
"logs-iis.access-*"
]
interval = "10m"
language = "eql"
license = "Elastic License v2"
name = "Web Server Potential SQL Injection Request"
risk_score = 21
rule_id = "7f7a0ee1-7b6f-466a-85b4-110fb105f5e2"
severity = "low"
tags = [
"Domain: Web",
"Use Case: Threat Detection",
"Tactic: Reconnaissance",
"Tactic: Credential Access",
"Tactic: Persistence",
"Tactic: Execution",
"Tactic: Command and Control",
"Data Source: Nginx",
"Data Source: Apache",
"Data Source: Apache Tomcat",
"Data Source: IIS",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "eql"
query = '''
any where url.original like~ (
"*%20order%20by%*", "*dbms_pipe.receive_message%28chr%*", "*waitfor%20delay%20*", "*%28select%20*from%20pg_sleep%285*", "*%28select%28sleep%285*", "*%3bselect%20pg_sleep%285*",
"*select%20concat%28concat*", "*xp_cmdshell*", "*select*case*when*", "*and*extractvalue*select*", "*from*information_schema.tables*", "*boolean*mode*having*", "*extractvalue*concat*",
"*case*when*sleep*", "*select*sleep*", "*dbms_lock.sleep*", "*and*sleep*", "*like*sleep*", "*csleep*", "*pgsleep*", "*char*char*char*", "*union*select*", "*concat*select*",
"*select*else*drop*", "*having*like*", "*case*else*end*", "*if*sleep*", "*where*and*select*", "*or*1=1*", "*\"1\"=\"1\"*", "*or*'a'='a*", "*into*outfile*", "*pga_sleep*",
"*into%20outfile*", "*into*dumpfile*", "*load_file%28*", "*load%5ffile%28*", "*cast%28*", "*convert%28*", "*cast%28%*", "*convert%28%*", "*@@version*", "*@@version_comment*",
"*version%28*", "*user%28*", "*current_user%28*", "*database%28*", "*schema_name%28*", "*information_schema.columns*", "*information_schema.columns*", "*table_schema*",
"*column_name*", "*dbms_pipe*", "*dbms_lock%2e*sleep*", "*dbms_lock.sleep*", "*sp_executesql*", "*sp_executesql*", "*load%20data*", "*information_schema*", "*pg_slp*",
"*information_schema.tables*"
)
'''

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1505"
name = "Server Software Component"
reference = "https://attack.mitre.org/techniques/T1505/"

[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1059"
name = "Command and Scripting Interpreter"
reference = "https://attack.mitre.org/techniques/T1059/"

[[rule.threat.technique.subtechnique]]
id = "T1059.004"
name = "Unix Shell"
reference = "https://attack.mitre.org/techniques/T1059/004/"

[rule.threat.tactic]
id = "TA0002"
name = "Execution"
reference = "https://attack.mitre.org/tactics/TA0002/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1071"
name = "Application Layer Protocol"
reference = "https://attack.mitre.org/techniques/T1071/"

[rule.threat.tactic]
id = "TA0011"
name = "Command and Control"
reference = "https://attack.mitre.org/tactics/TA0011/"

[[rule.threat]]
framework = "MITRE ATT&CK"

[[rule.threat.technique]]
id = "T1595"
name = "Active Scanning"
reference = "https://attack.mitre.org/techniques/T1595/"

[[rule.threat.technique.subtechnique]]
id = "T1595.002"
name = "Vulnerability Scanning"
reference = "https://attack.mitre.org/techniques/T1595/002/"

[[rule.threat.technique.subtechnique]]
id = "T1595.003"
name = "Wordlist Scanning"
reference = "https://attack.mitre.org/techniques/T1595/003/"

[rule.threat.tactic]
id = "TA0043"
name = "Reconnaissance"
reference = "https://attack.mitre.org/tactics/TA0043/"
Loading