cscli scenarios install crowdsecurity/http-sqli-probingThe http sqli probing scenario aims at detecting, with very little false positive chances, SQL injection probing attempts.
SQL injection probing attempts will be characterized by the presence of specific SQL-related patterns in uri/GET arguments (if and when this is where the injected parameter is), and this is what this scenario detects.
The word list is picked specifically to limit false positives.
Furthermore, a distinct directive is present on the get parameters themselves to reduce false positive chances.
You can test the behavior of the scenario by launching the excellent sqlmap on one of your pages.
WARNING This scenario is not a WAF, and this scenario does not aims at replacing a WAF. A motivated attacker with knowledge of crowdsec will be able to bypass it. It is mostly meant to be a way to detect generic SQL injection probing such as performed by open-source or commercial scanners.
1type: leaky2#requires at least 2.0 because it's using the 'data' section and the 'Upper' expr helper3format: 2.04name: crowdsecurity/http-sqli-probbing-detection5data:6 - source_url: https://hub-data.crowdsec.net/web/sqli_probe_patterns.txt7 dest_file: sqli_probe_patterns.txt8 type: string9description: "A scenario that detects SQL injection probing with minimal false positives"10filter: "evt.Meta.log_type in ['http_access-log', 'http_error-log'] && any(File('sqli_probe_patterns.txt'), {Upper(evt.Parsed.http_args) contains Upper(#)})"11groupby: evt.Meta.source_ip12capacity: 1013leakspeed: 1s14blackhole: 5m15#low false positives approach : we require distinct payloads to avoid false positives16distinct: evt.Parsed.http_args17labels:18 remediation: true19 classification:20 - attack.T1595.00221 behavior: "http:exploit"22 label: "SQL Injection Attempt"23 spoofable: 024 service: http25 confidence: 326