Web Application Suspicious Activity: sqlmap User Agent
editWeb Application Suspicious Activity: sqlmap User Agent
editThis is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Rule type: query
Rule indices:
- apm--transaction
- traces-apm*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: None (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- APM
Version: 101
Rule authors:
- Elastic
Rule license: Elastic License v2
Rule query
edituser_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"