security analyst security skill risk: medium

SQL Injection Detection via WAF Logs

The prompt provides instructions to collect WAF logs, run an agent that applies 15+ regex patterns to detect SQLi payloads, classify attacks by OWASP type, cluster IPs, and output…

Policy sensitive
Human review
External action: low

SKILL 4 files · 2 folders

SKILL.md

Download

---
name: detecting-sql-injection-via-waf-logs
description: "Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity"
---
# Detecting SQL Injection via WAF Logs


## When to Use

- When investigating security incidents that require detecting sql injection via waf logs
- When building detection rules or threat hunting queries for this domain
- When SOC analysts need structured procedures for this analysis type
- When validating security monitoring coverage for related attack techniques

## Prerequisites

- Familiarity with security operations concepts and tools
- Access to a test or lab environment for safe execution
- Python 3.8+ with required dependencies installed
- Appropriate authorization for any testing activities

## Instructions

1. Install dependencies: `pip install requests`
2. Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events).
3. Run the agent to parse and analyze:
   - Detect SQLi payloads via 15+ regex patterns
   - Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
   - Identify persistent attackers by IP clustering
   - Correlate multi-request injection campaigns
   - Calculate attack success probability based on response codes

```bash
python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json
```

## Examples

### ModSecurity SQLi Detection
```
Rule 942100 triggered: SQL Injection Attack Detected via libinjection
URI: /api/users?id=1' UNION SELECT username,password FROM users--
Source IP: 203.0.113.42 (47 requests in 5 minutes)
Classification: UNION-based SQLi campaign
```

INPUTS

log-file REQUIRED

Path to WAF log file

e.g. /var/log/modsec_audit.log

format REQUIRED

Log format type

e.g. modsecurity

output REQUIRED

Output report file

e.g. sqli_report.json

REQUIRED CONTEXT

WAF log file (ModSecurity/AWS/Cloudflare)

EXPECTED OUTPUT

Format

json

Constraints

include attack classification
include IP clustering
include success probability

SUCCESS CRITERIA

Detect SQLi payloads via 15+ regex patterns
Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based)
Identify persistent attackers by IP clustering
Correlate multi-request injection campaigns
Calculate attack success probability based on response codes

EXAMPLES

Includes one ModSecurity SQLi detection example.

CAVEATS

Dependencies

Familiarity with security operations concepts and tools
Access to a test or lab environment for safe execution
Python 3.8+ with required dependencies installed
Appropriate authorization for any testing activities
WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events)

Missing context

Full list of regex patterns
Source or definition of scripts/agent.py
Exact method for calculating attack success probability

Ambiguities

Description is truncated: "Parses ModSecurity"
Mentions "15+ regex patterns" and "OWASP injection type" without listing them

QUALITY

OVERALL: 0.60
CLARITY: 0.70
SPECIFICITY: 0.55
REUSABILITY: 0.75
COMPLETENESS: 0.45

IMPROVEMENT SUGGESTIONS

Complete the truncated description sentence in the header.
Either embed the 15+ regex patterns or provide a clear reference/link to them.
Include the agent.py implementation or convert the prompt into a fully self-contained script.

USAGE

Copy the prompt above and paste it into your AI of choice — Claude, ChatGPT, Gemini, or anywhere else you're working. Replace any placeholder sections with your own context, then ask for the output.