Add Sigma rule

gatewayd-io · May 19, 2024 · 9589aa0 · 9589aa0
1 parent aac17a5
commit 9589aa0
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -20,6 +20,7 @@
   - **Syntax-based detection**: Detects SQL injection attacks by parsing incoming queries and checking for suspicious syntax using `libinjection`
 - Prevents SQL injection attacks by blocking malicious queries from reaching the database server, and returning an error to the client instead
 - Logs an audit trail for detections containing the query and the prediction score
+- Sigma rule for detection in SIEM systems
 - Prometheus metrics for quantifying detections
 - Logging
 - Configurable via environment variables

diff --git a/rules/gatewayd/sql-injection-detected.yaml b/rules/gatewayd/sql-injection-detected.yaml
@@ -0,0 +1,29 @@
+title: SQL injection detected
+description: Detects SQL injection attacks detected by the IDS/IPS plugin
+references:
+  - http://www.sqlinjection.net/
+  - https://attack.mitre.org/techniques/T1190/
+  - https://owasp.org/Top10/A03_2021-Injection/
+  - https://capec.mitre.org/data/definitions/66.html
+  - https://cwe.mitre.org/data/definitions/89.html
+author: Mostafa Moradian <[email protected]>
+date: 2024/05/19
+tags:
+  - attack.initial_access
+  - attack.t1190
+  - owasp.a03
+  - capec.66
+  - cwe.89
+logsource:
+  product: gatewayd
+  service: gatewayd-plugin-sql-ids-ips
+detection:
+  selection:
+    detector: deep_learning_model
+    score|gte: 0.8
+  keywords:
+    - "SQL injection detected"
+  condition: selection and keywords
+falsepositives:
+  - Certain queries like accessing database schema may trigger this alert
+level: high