SQL Traffic to the Internet
This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3deprecation_date = "2021/04/15"
4maturity = "deprecated"
5updated_date = "2021/04/15"
6
7[rule]
8author = ["Elastic"]
9description = """
10This rule detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet.
11Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to
12gain initial access to network resources.
13"""
14false_positives = [
15 """
16 Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed
17 web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be
18 excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and
19 database instances are accessed directly across the Internet.
20 """,
21]
22from = "now-9m"
23index = ["filebeat-*", "packetbeat-*", "logs-endpoint.events.*"]
24language = "kuery"
25license = "Elastic License v2"
26name = "SQL Traffic to the Internet"
27risk_score = 47
28rule_id = "139c7458-566a-410c-a5cd-f80238d6a5cd"
29severity = "medium"
30tags = ["Elastic", "Host", "Network", "Threat Detection", "Command and Control"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35event.category:(network or network_traffic) and network.transport:tcp and (destination.port:(1433 or 1521 or 3306 or 5432) or event.dataset:zeek.mysql) and
36 source.ip:(
37 10.0.0.0/8 or
38 172.16.0.0/12 or
39 192.168.0.0/16
40 ) and
41 not destination.ip:(
42 10.0.0.0/8 or
43 127.0.0.0/8 or
44 169.254.0.0/16 or
45 172.16.0.0/12 or
46 192.168.0.0/16 or
47 224.0.0.0/4 or
48 "::1" or
49 "FE80::/10" or
50 "FF00::/8"
51 )
52'''
53
54
55[[rule.threat]]
56framework = "MITRE ATT&CK"
57
58[rule.threat.tactic]
59id = "TA0011"
60name = "Command and Control"
61reference = "https://attack.mitre.org/tactics/TA0011/"
Related rules
- FTP (File Transfer Protocol) Activity to the Internet
- IRC (Internet Relay Chat) Protocol Activity to the Internet
- PPTP (Point to Point Tunneling Protocol) Activity
- Proxy Port Activity to the Internet
- SMTP to the Internet