IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Web Application Suspicious Activity: Unauthorized Method WebServer Access Logs Deleted »
Elastic Docs Elastic Security Solution [7.11] Detections and Alerts Prebuilt rule reference

Web Application Suspicious Activity: sqlmap User Agent

edit

Web Application Suspicious Activity: sqlmap User Agent

edit

This is an example of how to detect an unwanted web client user agent. This search matches the user agent for sqlmap 1.3.11, which is a popular FOSS tool for testing web applications for SQL injection vulnerabilities.

Rule type: query

Rule indices:

  • apm--transaction

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • APM

Version: 5 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.11.2

Rule authors: Elastic

Rule license: Elastic License

Potential false positives

edit

This rule does not indicate that a SQL injection attack occurred, only that the sqlmap tool was used. Security scans and tests may result in these errors. If the source is not an authorized security tester, this is generally suspicious or malicious activity.

Rule query

edit
user_agent.original:"sqlmap/1.3.11#stable (http://sqlmap.org)"

Rule version history

edit
Version 5 (7.11.2 release)
  • Formatting only
Version 4 (7.10.0 release)
  • Formatting only
Version 3 (7.9.0 release)
  • Formatting only
Version 2 (7.7.0 release)
  • Formatting only
« Web Application Suspicious Activity: Unauthorized Method WebServer Access Logs Deleted »