Skill

detecting-sql-injection-via-waf-logs

From asi

Analyzes ModSecurity, AWS WAF, and Cloudflare logs to detect SQL injection campaigns. Parses for patterns like UNION SELECT/OR 1=1/SLEEP, tracks IPs, correlates attempts, generates OWASP reports.

Python

AWS

Cloudflare

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

- When investigating security incidents that require detecting sql injection via waf logs

SKILL.md

Similar Skills

detecting-sql-injection-via-waf-logs

5.9k

Analyzes ModSecurity, AWS WAF, Cloudflare logs to detect SQLi campaigns. Identifies patterns (UNION SELECT, OR 1=1, SLEEP()), tracks attackers, correlates attempts, generates OWASP reports.

3 files

cybersecurity-skills

detecting-sql-injection-via-waf-logs

Analyzes ModSecurity, AWS WAF, and Cloudflare logs to detect SQL injection attacks. Identifies patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks IP sources, associates multi-stage attempts, generates OWASP-classified reports.

3 files

cybersecurity-skills-zh

analyzing-web-server-logs-for-intrusion

Parses Apache and Nginx access logs to detect SQL injection, LFI, directory traversal, web scanners, and brute-force attacks using regex on OWASP signatures, GeoIP enrichment, and request anomaly detection.

asi

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting SQL Injection via WAF Logs

When to Use

When investigating security incidents that require detecting sql injection via waf logs

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Familiarity with security operations concepts and tools

Access to a test or lab environment for safe execution

Python 3.8+ with required dependencies installed

Appropriate authorization for any testing activities

Instructions

Install dependencies: pip install requests

Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).

Run the agent to parse and analyze:

Detect SQLi payloads via 15+ regex patterns
Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
Identify persistent attackers by IP clustering
Correlate multi-request injection campaigns
Calculate attack success probability based on response codes

python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json

Examples

ModSecurity SQLi Detection

Rule 942100 triggered: SQL Injection Attack Detected via libinjection URI: /api/users?id=1' UNION SELECT username,password FROM users-- Source IP: 203.0.113.42 (47 requests in 5 minutes) Classification: UNION-based SQLi campaign