Detecting an SQL Injection attack

Wazuh is able to detect an SQL Injection attack from web server logs showing patterns like select, union, and other common SQL patterns of attack in a monitored endpoint. The attack can also be detected at a network level if you configure a Suricata integration to monitor the endpoint's network traffic.

Prerequisites

  • You need an Apache server running on the monitored Ubuntu 20 system.

Configuration

  1. Add the following lines to /var/ossec/etc/ossec.conf at the Wazuh Ubuntu 20 host. This sets the Linux agent to monitor the access logs of your Apache server.

    <localfile>
      <log_format>apache</log_format>
      <location>/var/log/apache2/access.log</location>
    </localfile>
    

    Optionally, you can install Suricata in the Ubuntu 20 endpoint and configure it to monitor the endpoint's network traffic.

  2. Restart the Wazuh agent to apply the configuration changes.

    # systemctl restart wazuh-agent
    
  3. Modify the FilesMatch directive at /etc/apache2/apache2.conf as follow:

    <FilesMatch ".ht*">
      Require all denied
    </FilesMatch>
    

Steps to generate the alerts

  1. Replace <your_web_server_address> with the appropriate value and execute the following command from a system external to your Ubuntu 20 endpoint (the attacker).

    # curl -XGET "http://replace_by_your_ubuntu_web_server_address/?id=SELECT+*+FROM+users";
    

Query the alerts

You can visualize the alert data in the Wazuh dashboard. To do this, go to the Security events module and add the filters in the search bar to query the alerts.

  • rule.id:31103