detecting-sql-injection-via-waf-logs
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-sql-injection-via-waf-logsAnalyze WAF logs to detect SQL injection campaigns.
- Identifies SQLi patterns across ModSecurity, AWS WAF, and Cloudflare logs.
- Depends on Python 3.8+ and regex patterns for payload detection.
- Correlates multi-stage attempts using OWASP classification standards.
- Generates structured incident reports with attack source tracking.
SKILL.md
.github/skills/detecting-sql-injection-via-waf-logsView on GitHub ↗
--- name: detecting-sql-injection-via-waf-logs description: >- Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification. domain: cybersecurity subdomain: security-operations tags: [detecting, sql, injection, via] version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting SQL Injection via WAF Logs ## When to Use - When investigating security incidents that require detecting sql injection via waf logs - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install requests` 2. Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events). 3. Run the agent to parse and analyze: - Detect SQLi payloads via 15+ regex patterns - Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based) - Identify persistent attackers by IP clustering - Correlate multi-request injection campaigns - Calculate attack success probability based on response codes ```bash python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json ``` ## Examples ### ModSecurity SQLi Detection ``` Rule 942100 triggered: SQL Injection Attack Detected via libinjection URI: /api/users?id=1' UNION SELECT username,password FROM users-- Source IP: 203.0.113.42 (47 requests in 5 minutes) Classification: UNION-based SQLi campaign ```
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.