mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-07-11 10:03:42 +03:00
1.4 KiB
1.4 KiB
name, description, domain, subdomain, tags, version, author, license
| name | description | domain | subdomain | tags | version | author | license | ||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| detecting-sql-injection-via-waf-logs | Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification. | cybersecurity | security-operations |
|
1.0 | mahipal | MIT |
Instructions
- Install dependencies:
pip install requests - Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).
- Run the agent to parse and analyze:
- Detect SQLi payloads via 15+ regex patterns
- Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
- Identify persistent attackers by IP clustering
- Correlate multi-request injection campaigns
- Calculate attack success probability based on response codes
python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json
Examples
ModSecurity SQLi Detection
Rule 942100 triggered: SQL Injection Attack Detected via libinjection
URI: /api/users?id=1' UNION SELECT username,password FROM users--
Source IP: 203.0.113.42 (47 requests in 5 minutes)
Classification: UNION-based SQLi campaign