Skills Development Detecting SQL Injection From WAF Logs

Detecting SQL Injection From WAF Logs

v20260601
detecting-sql-injection-via-waf-logs
This tool analyzes Web Application Firewall (WAF) logs (ModSecurity, AWS WAF, Cloudflare) to detect sophisticated SQL injection attack campaigns. It parses diverse log formats, identifies common SQLi payloads (UNION SELECT, OR 1=1), correlates multi-stage attacks, tracks source IPs, and generates detailed incident reports classified by OWASP standards for SOC analysts and security researchers.
Get Skill
164 downloads
Overview

Detecting SQL Injection via WAF Logs

When to Use

  • When investigating security incidents that require detecting sql injection via waf logs
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

  1. Install dependencies: pip install requests
  2. Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).
  3. Run the agent to parse and analyze:
    • Detect SQLi payloads via 15+ regex patterns
    • Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
    • Identify persistent attackers by IP clustering
    • Correlate multi-request injection campaigns
    • Calculate attack success probability based on response codes
python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json

Examples

ModSecurity SQLi Detection

Rule 942100 triggered: SQL Injection Attack Detected via libinjection
URI: /api/users?id=1' UNION SELECT username,password FROM users--
Source IP: 203.0.113.42 (47 requests in 5 minutes)
Classification: UNION-based SQLi campaign
Info
Category Development
Name detecting-sql-injection-via-waf-logs
Version v20260601
Size 9.55KB
Updated At 2026-06-03
Language