技能 编程开发 从WAF日志检测SQL注入

从WAF日志检测SQL注入

v20260601
detecting-sql-injection-via-waf-logs
本工具用于分析Web应用防火墙(WAF)日志(包括ModSecurity、AWS WAF和Cloudflare)。它能够解析多种日志格式,深度检测复杂的SQL注入攻击活动,识别如UNION SELECT等常见载荷,关联多阶段攻击,并生成符合OWASP标准的详细事件报告,适用于安全运营中心(SOC)分析师和安全研究人员。
获取技能
164 次下载
概览

Detecting SQL Injection via WAF Logs

When to Use

  • When investigating security incidents that require detecting sql injection via waf logs
  • When building detection rules or threat hunting queries for this domain
  • When SOC analysts need structured procedures for this analysis type
  • When validating security monitoring coverage for related attack techniques

Prerequisites

  • Familiarity with security operations concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

Instructions

  1. Install dependencies: pip install requests
  2. Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).
  3. Run the agent to parse and analyze:
    • Detect SQLi payloads via 15+ regex patterns
    • Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
    • Identify persistent attackers by IP clustering
    • Correlate multi-request injection campaigns
    • Calculate attack success probability based on response codes
python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json

Examples

ModSecurity SQLi Detection

Rule 942100 triggered: SQL Injection Attack Detected via libinjection
URI: /api/users?id=1' UNION SELECT username,password FROM users--
Source IP: 203.0.113.42 (47 requests in 5 minutes)
Classification: UNION-based SQLi campaign
信息
Category 编程开发
Name detecting-sql-injection-via-waf-logs
版本 v20260601
大小 9.55KB
更新时间 2026-06-03
语言