Wazuh is able to detect an SQL Injection attack from web server logs showing patterns like
union, and other common SQL patterns of attack in a monitored endpoint. The attack can also be detected at a network level if you configure a Suricata integration to monitor the endpoint's network traffic.
Add the following lines to
/var/ossec/etc/ossec.confat the Wazuh Ubuntu 20 host. This sets the Linux agent to monitor the access logs of your Apache server.
<localfile> <log_format>apache</log_format> <location>/var/log/apache2/access.log</location> </localfile>
Optionally, you can install Suricata in the Ubuntu 20 endpoint and configure it to monitor the endpoint's network traffic.
Restart the Wazuh agent to apply the configuration changes.
# systemctl restart wazuh-agent
Modify the FilesMatch directive at
<FilesMatch ".ht*"> Require all denied </FilesMatch>
<your_web_server_address>with the appropriate value and execute the following command from a system external to your Ubuntu 20 endpoint (the attacker).
# curl -XGET "http://replace_by_your_ubuntu_web_server_address/?id=SELECT+*+FROM+users";