36 lines
860 B
YAML
36 lines
860 B
YAML
|
id: suspicious-sql-error-messages
|
||
|
|
||
|
info:
|
||
|
name: Suspicious SQL Error Messages
|
||
|
description: Detects SQL error messages that indicate probing for an injection attack
|
||
|
author: geeknik
|
||
|
severity: high
|
||
|
tags: file,logs,sql
|
||
|
|
||
|
file:
|
||
|
- extensions:
|
||
|
- all
|
||
|
|
||
|
extractors:
|
||
|
- type: regex
|
||
|
name: oracle
|
||
|
part: body
|
||
|
regex:
|
||
|
- 'quoted string not properly terminated'
|
||
|
- type: regex
|
||
|
name: mysql
|
||
|
part: body
|
||
|
regex:
|
||
|
- 'You have an error in your SQL syntax'
|
||
|
- type: regex
|
||
|
name: sql_server
|
||
|
part: body
|
||
|
regex:
|
||
|
- 'Unclosed quotation mark'
|
||
|
- type: regex
|
||
|
name: sqlite
|
||
|
part: body
|
||
|
regex:
|
||
|
- 'near \"\*\"\: syntax error'
|
||
|
- 'SELECTs to the left and right of UNION do not have the same number of result columns'
|