SigmaHQ/rules/application/app_sqlinjection_errors.yml
2020-01-30 15:32:39 +01:00

27 lines
764 B
YAML

title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
date: 2017/11/27
references:
- http://www.sqlinjection.net/errors
logsource:
category: application
product: sql
detection:
keywords:
# Oracle
- quoted string not properly terminated
# MySQL
- You have an error in your SQL syntax
# SQL Server
- Unclosed quotation mark
# SQLite
- 'near "*": syntax error'
- SELECTs to the left and right of UNION do not have the same number of result columns
condition: keywords
falsepositives:
- Application bugs
level: high