Web Application Suspicious Activity: sqlmap User Agent
This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/02/18"
3integration = ["apm"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap
131.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
14"""
15false_positives = [
16 """
17 This rule does not indicate that a SQL injection attack occurred, only that the `sqlmap` tool was used. Security
18 scans and tests may result in these errors. If the source is not an authorized security tester, this is generally
19 suspicious or malicious activity.
20 """,
21]
22index = ["apm-*-transaction*", "traces-apm*"]
23language = "kuery"
24license = "Elastic License v2"
25name = "Web Application Suspicious Activity: sqlmap User Agent"
26references = ["http://sqlmap.org/"]
27risk_score = 47
28rule_id = "d49cc73f-7a16-4def-89ce-9fc7127d7820"
29severity = "medium"
30tags = ["Data Source: APM"]
31timestamp_override = "event.ingested"
32type = "query"
33
34query = '''
35user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
36'''
References
Related rules
- Web Application Suspicious Activity: POST Request Declined
- Web Application Suspicious Activity: Unauthorized Method