Create suspicious-sql-error-messages.yaml

file/logs/suspicious-sql-error-messages.yaml

@@ -0,0 +1,35 @@
+id: suspicious-sql-error-messages
+
+info:
+  name: Suspicious SQL Error Messages
+  description: Detects SQL error messages that indicate probing for an injection attack
+  author: geeknik
+  severity: high
+  tags: file,logs,sql
+
+file:
+  - extensions:
+      - all
+
+    extractors:
+      - type: regex
+        name: oracle
+        part: body
+        regex:
+          - 'quoted string not properly terminated'
+      - type: regex
+        name: mysql
+        part: body
+        regex:
+          - 'You have an error in your SQL syntax'
+      - type: regex
+        name: sql_server
+        part: body
+        regex:
+          - 'Unclosed quotation mark'
+      - type: regex
+        name: sqlite
+        part: body
+        regex:
+          - 'near \"\*\"\: syntax error'
+          - 'SELECTs to the left and right of UNION do not have the same number of result columns'