Web Application Suspicious Activity: sqlmap User Agent
This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["apm"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap
131.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
14"""
15false_positives = [
16 """
17 This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security
18 scans and tests may result in these errors. If the source is not an authorized security tester, this is generally
19 suspicious or malicious activity.
20 """,
21]
22index = ["apm-*-transaction*", "traces-apm*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Web Application Suspicious Activity: sqlmap User Agent"
26references = ["http://sqlmap.org/"]
27risk_score = 47
28rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
29severity = "medium"
30tags = ["Data Source: APM"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
36'''
References
-
Introduction sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerf...
Read More
Related rules
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method