Web Application Suspicious Activity: sqlmap User Agent

May 22, 2024 · Data Source: APM ·

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/02/18"
 3integration = ["apm"]
 4maturity = "production"
 5updated_date = "2024/05/21"
 6
 7[rule]
 8author = ["Elastic"]
 9description = """
10This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap
111.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
12"""
13false_positives = [
14    """
15    This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security
16    scans and tests may result in these errors. If the source is not an authorized security tester, this is generally
17    suspicious or malicious activity.
18    """,
19]
20index = ["apm-*-transaction*", "traces-apm*"]
21language = "kuery"
22license = "Elastic License v2"
23name = "Web Application Suspicious Activity: sqlmap User Agent"
24references = ["http://sqlmap.org/"]
25risk_score = 47
26rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
27severity = "medium"
28tags = ["Data Source: APM"]
29timestamp_override = "event.ingested"
30type = "query"
31
32query = '''
33user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
34'''

References

sqlmap: automatic SQL injection and database takeover tool

Introduction sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerf...

Read More

Web Application Suspicious Activity: sqlmap User Agent

Elastic rule (View on GitHub)

References

sqlmap: automatic SQL injection and database takeover tool

Related rules