id: suspicious-sql-error-messages

info:
  name: SQL - Error Messages
  author: geeknik
  severity: critical
  description: SQL error messages that indicate probing for an injection attack were detected.
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-89
  tags: file,logs,sql,error
file:
  - extensions:
      - all

    extractors:
      - type: regex
        name: oracle
        part: body
        regex:
          - 'quoted string not properly terminated'

      - type: regex
        name: mysql
        part: body
        regex:
          - 'You have an error in your SQL syntax'

      - type: regex
        name: sql_server
        part: body
        regex:
          - 'Unclosed quotation mark'

      - type: regex
        name: sqlite
        part: body
        regex:
          - 'near \"\*\"\: syntax error'
          - 'SELECTs to the left and right of UNION do not have the same number of result columns'
# digest: 4a0a00473045022100bfb5ecc073310c8f74cac84d8f9073b3208093b6ac943385ed07b3cae4f02c390220382860a04570ec6396de93c738a871330ba21a26bb772da23ba9fd8551682f4e:922c64590222798bb761d5b6d8e72950