Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Suspicious SQL Error Messages

Detects SQL error messages that indicate probing for an injection attack

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Bjoern KimminichCreated Mon Nov 27Updated Sun Feb 128a670c6d-7189-4b1c-8017-a417ca84a086application
Log Source
sqlapplication
Productsql← raw: sql
Categoryapplication← raw: application

Definition

Requirements: application error logs must be collected (with LOG_LEVEL ERROR and above)

Detection Logic
Detection Logic1 selector
detection:
    keywords:
        # Oracle
        - quoted string not properly terminated
        # MySQL
        - You have an error in your SQL syntax
        # SQL Server
        - Unclosed quotation mark
        # SQLite
        - 'near "*": syntax error'
        - SELECTs to the left and right of UNION do not have the same number of result columns
    condition: keywords
False Positives

A syntax error in MySQL also occurs in non-dynamic (safe) queries if there is an empty in() clause, that may often be the case.

References
1
Resolving title…
sqlinjection.net
MITRE ATT&CK
Rule Metadata
Rule ID
8a670c6d-7189-4b1c-8017-a417ca84a086
Status
test
Level
high
Type
Detection
Created
Mon Nov 27
Modified
Sun Feb 12
Author
Bjoern Kimminich
Path
rules/application/sql/app_sqlinjection_errors.yml
Raw Tags
attack.initial-accessattack.t1190
View on GitHub