Web Application Suspicious Activity: sqlmap User Agent

edit

Web Application Suspicious Activity: sqlmap User Agent

edit

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Rule type: query

Rule indices:

  • apm--transaction
  • traces-apm*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • APM

Version: 8 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

This rule does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity.

Rule query

edit
user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"

Rule version history

edit
Version 8 (8.4.0 release)
  • Formatting only
Version 7 (7.14.0 release)
  • Updated query, changed from:

    user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"
Version 6 (7.12.0 release)
  • Formatting only
Version 5 (7.11.2 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Formatting only
Version 2 (7.7.0 release)
  • Formatting only