id: suspicious-sql-error-messages

info:
  name: SQL - Error Messages
  author: geeknik
  severity: critical
  description: SQL error messages that indicate probing for an injection attack were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
  tags: file,logs,sql,error
file:
  - extensions:
      - all

    extractors:
      - type: regex
        name: oracle
        part: body
        regex:
          - 'quoted string not properly terminated'

      - type: regex
        name: mysql
        part: body
        regex:
          - 'You have an error in your SQL syntax'

      - type: regex
        name: sql_server
        part: body
        regex:
          - 'Unclosed quotation mark'

      - type: regex
        name: sqlite
        part: body
        regex:
          - 'near \"\*\"\: syntax error'
          - 'SELECTs to the left and right of UNION do not have the same number of result columns'

# digest: 490a0046304402201d5d530c0efe89b2780c5a407266a640c4f3ddc7ccf1c39f27855bb9675b456e022031ffc06367293118a8f9c8e3ce0c116256961abbea5b0761b4954f7070fa6349:922c64590222798bb761d5b6d8e72950