type: leaky
#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper
format: 2.0
name: crowdsecurity/http-sqli-probbing-detection
data:
  - source_url: https://raw.githubusercontent.com/crowdsecurity/sec-lists/master/web/sqli_probe_patterns.txt
    dest_file: sqli_probe_patterns.txt
    type: string
description: "A scenario that detects SQL injection probing with minimal false positives"
filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"
groupby: evt.Meta.source_ip
capacity: 10
leakspeed: 1s
blackhole: 5m
#low false positives approach : we require distinct payloads to avoid false positives
distinct: evt.Parsed.http_args
labels:
  remediation: true
  classification:
    - attack.T1595.002
  behavior: "http:exploit"
  label: "SQL Injection Attempt"
  spoofable: 0
  service: http
  confidence: 3