Learn by Directing AI

sigma-rule-template.yml

ymlsigma-rule-template.yml
title: SQL Injection Detection in Web Access Logs
id: a1b2c3d4-e5f6-7890-abcd-ef1234567890
status: test
description: >
  Detects common SQL injection patterns in HTTP access log request URIs.
  Matches keywords and syntax fragments typically used in automated and manual
  SQL injection attacks against web application input parameters.
author: Baobab Bay Lodge Security Assessment
date: 2024/01/15
references:
  - https://attack.mitre.org/techniques/T1190/
  - https://owasp.org/Top10/A03_2021-Injection/
tags:
  - attack.t1190
  - attack.initial_access
logsource:
  category: webserver
  product: access_log
detection:
  selection_union:
    request_uri|contains:
      - "UNION SELECT"
      - "UNION%20SELECT"
      - "union+select"
      - "union%20select"
  selection_boolean:
    request_uri|contains:
      - "OR 1=1"
      - "OR%201%3D1"
      - "or+1%3d1"
      - "' OR '"
      - "%27+OR+%27"
      - "' or '"
  selection_comment:
    request_uri|contains:
      - "--"
      - "%2D%2D"
      - "#"
      - "%23"
  selection_encoding:
    request_uri|contains:
      - "%27"
      - "%22"
      - "\\x27"
      - "\\x22"
  condition: selection_union or selection_boolean or (selection_comment and selection_encoding)
fields:
  - request_uri
  - source_ip
  - http_method
  - http_status
falsepositives:
  - Legitimate queries containing SQL-like keywords (e.g., booking searches for items with "OR" or "SELECT" in their names)
  - Web application frameworks that use SQL-like syntax in URL parameters
  - Automated health checks or monitoring tools with encoded characters in URLs
level: medium