Web Application Suspicious Activity: sqlmap User Agent
editWeb Application Suspicious Activity: sqlmap User Agent
editThis is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.
Rule type: query
Rule indices:
- apm--transaction
- traces-apm*
Severity: medium
Risk score: 47
Runs every: 5 minutes
Searches indices from: now-6m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 100
References:
Tags:
- Elastic
- APM
Version: 8 (version history)
Added (Elastic Stack release): 7.6.0
Last modified (Elastic Stack release): 8.4.0
Rule authors: Elastic
Rule license: Elastic License v2
Potential false positives
editThis rule does not indicate that a SQL injection attack occurred, only that the sqlmap
tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity.
Rule query
edituser_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
Rule version history
edit- Version 8 (8.4.0 release)
-
- Formatting only
- Version 7 (7.14.0 release)
-
-
Updated query, changed from:
user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
-
- Version 6 (7.12.0 release)
-
- Formatting only
- Version 5 (7.11.2 release)
-
- Formatting only
- Version 4 (7.10.0 release)
-
- Formatting only
- Version 3 (7.9.0 release)
-
- Formatting only
- Version 2 (7.7.0 release)
-
- Formatting only