From dbfd439ce415b90ca71af587fc6d8b69ce75e7d6 Mon Sep 17 00:00:00 2001
From: phantinuss <79651203+phantinuss@users.noreply.github.com>
Date: Mon, 25 Jul 2022 11:27:19 +0200
Subject: [PATCH] fix: too many FPs

with e.g. =select-billing-address and many more
---
 rules/web/web_sql_injection_in_access_logs.yml | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/rules/web/web_sql_injection_in_access_logs.yml b/rules/web/web_sql_injection_in_access_logs.yml
index f7767e58f..45318e277 100644
--- a/rules/web/web_sql_injection_in_access_logs.yml
+++ b/rules/web/web_sql_injection_in_access_logs.yml
@@ -4,7 +4,7 @@ status: test
 description: Detects SQL Injection attempts via GET requests in access logs
 author: Saw Win Naung, Nasreddine Bencherchali
 date: 2020/02/22
-modified: 2022/06/27
+modified: 2022/07/25
 references:
     - https://www.acunetix.com/blog/articles/exploiting-sql-injection-example/
     - https://www.acunetix.com/blog/articles/using-logs-to-investigate-a-web-application-attack/
@@ -16,7 +16,9 @@ detection:
     select_method:
         cs-method: 'GET'
     keywords:
-        - '=select'
+        - '=select '
+        - '=select%20'
+        - '=select('
         - 'UNION SELECT'
         - 'UNION%20SELECT'
         - 'UNION ALL SELECT'
@@ -38,8 +40,6 @@ detection:
         - 'or%201=1#'
     filter:
         sc-status: 404
-    filter_fps:
-        - '=select2'
     condition: select_method and keywords and not 1 of filter*
 fields:
     - client_ip