Web Application Suspicious Activity: sqlmap User Agent

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["apm"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap
111.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
12"""
13false_positives = [
14    """
15    This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security
16    scans and tests may result in these errors. If the source is not an authorized security tester, this is generally
17    suspicious or malicious activity.
18    """,
19]
20index = ["apm-*-transaction*", "traces-apm*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Web Application Suspicious Activity: sqlmap User Agent"
24references = ["http://sqlmap.org/"]
25risk_score = 47
26rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
27severity = "medium"
28tags = ["Data Source: APM"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
34'''

References

Related rules

to-top