Techniques
Sample rules
SQL Injection Strings In URI
- source: sigma
- technicques:
- t1190
Description
Detects potential SQL injection attempts via GET requests in access logs.
Detection logic
condition: selection and keywords and not 1 of filter_main_*
filter_main_status:
sc-status: 404
keywords:
- '@@version'
- '%271%27%3D%271'
- '=select '
- =select(
- =select%20
- concat_ws(
- CONCAT(0x
- from mysql.innodb_table_stats
- from%20mysql.innodb_table_stats
- group_concat(
- information_schema.tables
- json_arrayagg(
- or 1=1#
- or%201=1#
- 'order by '
- order%20by%20
- 'select * '
- select database()
- select version()
- select%20*%20
- select%20database()
- select%20version()
- select%28sleep%2810%29
- SELECTCHAR(
- table_schema
- UNION ALL SELECT
- UNION SELECT
- UNION%20ALL%20SELECT
- UNION%20SELECT
- '''1''=''1'
selection:
cs-method: GET