WAF SQLi Detection

v20260317

detecting-sql-injection-via-waf-logs

Processes ModSecurity/AWS Cloudflare WAF logs to surface SQL injection campaigns, spotting UNION SELECT/OR 1=1/SLEEP payloads, clustering attacker IPs, correlating multi-stage requests, and issuing OWASP-classified incident reports.

Security Cybersecurity WAF LogAnalysis SQLInjection OWASP Detection IncidentResponse

Get Skill

342 downloads

Overview

Instructions

Install dependencies: pip install requests
Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).
Run the agent to parse and analyze:
- Detect SQLi payloads via 15+ regex patterns
- Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
- Identify persistent attackers by IP clustering
- Correlate multi-request injection campaigns
- Calculate attack success probability based on response codes

python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json

Examples

ModSecurity SQLi Detection

Rule 942100 triggered: SQL Injection Attack Detected via libinjection
URI: /api/users?id=1' UNION SELECT username,password FROM users--
Source IP: 203.0.113.42 (47 requests in 5 minutes)
Classification: UNION-based SQLi campaign

Info

Category Development

Name detecting-sql-injection-via-waf-logs

Version v20260317

Size 9.2KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18