rules/application/app_sqlinjection_errors.yml

title: Suspicious SQL Error Messages
status: experimental
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
references:
    - http://www.sqlinjection.net/errors
logsource:
    category: application
    product: sql
detection:
    keywords:
        # Oracle
        - quoted string not properly terminated
        # MySQL
        - You have an error in your SQL syntax
        # SQL Server
        - Unclosed quotation mark
        # SQLite
        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
falsepositives:
    - Application bugs
level: high
SQL Injection error message patterns 2017-11-27 22:52:17 +01:00			`title: Suspicious SQL Error Messages`
Cleanup 2017-12-07 16:21:02 +01:00			`status: experimental`
SQL Injection error message patterns 2017-11-27 22:52:17 +01:00			`description: Detects SQL error messages that indicate probing for an injection attack`
			`author: Bjoern Kimminich`
Change All "str" references to be "list"to mach schema update 2018-01-28 02:24:16 +03:00			`references:`
			`- http://www.sqlinjection.net/errors`
SQL Injection error message patterns 2017-11-27 22:52:17 +01:00			`logsource:`
			`category: application`
			`product: sql`
			`detection:`
			`keywords:`
			`# Oracle`
			`- quoted string not properly terminated`
			`# MySQL`
			`- You have an error in your SQL syntax`
			`# SQL Server`
			`- Unclosed quotation mark`
			`# SQLite`
Fixes for Elasticsearch query correctness CI tests 2018-04-09 22:33:29 +02:00			`- 'near "*": syntax error'`
SQL Injection error message patterns 2017-11-27 22:52:17 +01:00			`- SELECTs to the left and right of UNION do not have the same number of result columns`
			`condition: keywords`
			`falsepositives:`
			`- Application bugs`
			`level: high`