Suspicious SQL Error Messages

Feb 15, 2023 · attack.initial_access attack.t1190 ·

Detects SQL error messages that indicate probing for an injection attack

Sigma rule (View on GitHub)

 1title: Suspicious SQL Error Messages
 2id: 8a670c6d-7189-4b1c-8017-a417ca84a086
 3status: test
 4description: Detects SQL error messages that indicate probing for an injection attack
 5references:
 6    - http://www.sqlinjection.net/errors
 7author: Bjoern Kimminich
 8date: 2017/11/27
 9modified: 2023/02/12
10tags:
11    - attack.initial_access
12    - attack.t1190
13logsource:
14    category: application
15    product: sql
16    definition: 'Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)'
17detection:
18    keywords:
19        # Oracle
20        - quoted string not properly terminated
21        # MySQL
22        - You have an error in your SQL syntax
23        # SQL Server
24        - Unclosed quotation mark
25        # SQLite
26        - 'near "*": syntax error'
27        - SELECTs to the left and right of UNION do not have the same number of result columns
28    condition: keywords
29falsepositives:
30    - A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.
31level: high

References

Using Database Errors for SQL Injection Attacks

Information leaked by errors, especially database errors, can help an attacker to achieve a successful SQL injection attack. They help crafting

Read More

Suspicious SQL Error Messages

Sigma rule (View on GitHub)

References

Using Database Errors for SQL Injection Attacks

Related rules