SQL Traffic to the Internet

edit

Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.

Rule type: query

Rule indices:

  • filebeat-*
  • packetbeat-*
  • logs-endpoint.events.*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

  • Elastic
  • Host
  • Network
  • Threat Detection
  • Command and Control

Version: 5 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.10.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet.

Rule query

edit
event.category:(network or network_traffic) and network.transport:tcp
and (destination.port:(1433 or 1521 or 3306 or 5432) or
event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12
or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8
or 172.16.0.0/12 or 192.168.0.0/16 or "::1")

Threat mapping

edit

Framework: MITRE ATT&CKTM

Rule version history

edit
Version 5 (7.10.0 release)
  • Formatting only
Version 4 (7.9.0 release)
  • Updated query, changed from:

    network.transport:tcp and destination.port:(1433 or 1521 or 3336 or
    5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
    and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
    192.168.0.0/16 or "::1")
Version 3 (7.7.0 release)
  • Updated query, changed from:

    network.transport: tcp and destination.port: (1433 or 1521 or 3336 or
    5432) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8
    or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:
    (10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )
Version 2 (7.6.1 release)
  • Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.