title: Suspicious SQL Error Messages
id: 8a670c6d-7189-4b1c-8017-a417ca84a086
status: test
description: Detects SQL error messages that indicate probing for an injection attack
author: Bjoern Kimminich
references:
  - http://www.sqlinjection.net/errors
date: 2017/11/27
modified: 2021/11/27
logsource:
  category: application
  product: sql
detection:
  keywords:
        # Oracle
    - quoted string not properly terminated
        # MySQL
    - You have an error in your SQL syntax
        # SQL Server
    - Unclosed quotation mark
        # SQLite
    - 'near "*": syntax error'
    - SELECTs to the left and right of UNION do not have the same number of result columns
  condition: keywords
falsepositives:
  - Application bugs
level: high
tags:
  - attack.initial_access
  - attack.t1190