SQL INJECTION

This query will try to identify automated attack tool and its payload

SPLUNK: Search & Reporting
 SPL: sourcetype=web_traffic client_ip="<REDACTED>" AND user_agent IN ("*sqlmap*", "*Havij*") | table _time, path, status
 DTG: All time
 TAB: Statistics
 
 *  specific attack strings like SLEEP(5) is a good indication of malicious activity
    A 504 status code often confirms a successful time-based SQL injection attack

PreviousPATH TRAVERSAL NextEXFILTRATION

Last updated 2 days ago