SigmaHQ/rules/application/app_sqlinjection_errors.yml

title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
modified: 2020/09/01
references:
    - http://www.sqlinjection.net/errors
logsource:
    category: application
    product: sql
detection:
    keywords:
        # Oracle
        - quoted string not properly terminated
        # MySQL
        - You have an error in your SQL syntax
        # SQL Server
        - Unclosed quotation mark
        # SQLite
        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
falsepositives:
    - Application bugs
level: high
tags:
    - attack.initial_access
    - attack.t1190
SQL Injection error message patterns Rule file that detects error messages from different DB providers that would occur during SQL Injection probing 2017-11-27 21:52:17 +00:00			`title: Suspicious SQL Error Messages`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 8a670c6d-7189-4b1c-8017-a417ca84a086`
Cleanup 2017-12-07 15:21:02 +00:00			`status: experimental`
SQL Injection error message patterns Rule file that detects error messages from different DB providers that would occur during SQL Injection probing 2017-11-27 21:52:17 +00:00			`description: Detects SQL error messages that indicate probing for an injection attack`
			`author: Bjoern Kimminich`
fix: fixed missing date fields in other files 2020-01-30 14:32:39 +00:00			`date: 2017/11/27`
att&ck tags review: application, apt, cloud, generic, proxy 2020-09-03 14:16:47 +00:00			`modified: 2020/09/01`
Change All "str" references to be "list"to mach schema update 2018-01-27 23:24:16 +00:00			`references:`
			`- http://www.sqlinjection.net/errors`
SQL Injection error message patterns Rule file that detects error messages from different DB providers that would occur during SQL Injection probing 2017-11-27 21:52:17 +00:00			`logsource:`
			`category: application`
			`product: sql`
			`detection:`
			`keywords:`
			`# Oracle`
			`- quoted string not properly terminated`
			`# MySQL`
			`- You have an error in your SQL syntax`
			`# SQL Server`
			`- Unclosed quotation mark`
			`# SQLite`
Fixes for Elasticsearch query correctness CI tests * Quoting in rule * Reading queries without special processing of backslashes Unfortunately, backslashes still cause breaks caused by Bash handling of them. 2018-04-09 20:33:29 +00:00			`- 'near "*": syntax error'`
SQL Injection error message patterns Rule file that detects error messages from different DB providers that would occur during SQL Injection probing 2017-11-27 21:52:17 +00:00			`- SELECTs to the left and right of UNION do not have the same number of result columns`
			`condition: keywords`
			`falsepositives:`
			`- Application bugs`
			`level: high`
Fixed my git issue 2020-09-14 04:03:04 +00:00			`tags:`
			`- attack.initial_access`
			`- attack.t1190`