detecting-sql-injection-via-waf-logs
Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.
Best use case
detecting-sql-injection-via-waf-logs is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.
Teams using detecting-sql-injection-via-waf-logs should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-sql-injection-via-waf-logs/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-sql-injection-via-waf-logs Compares
| Feature / Agent | detecting-sql-injection-via-waf-logs | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Analyze WAF (ModSecurity/AWS WAF/Cloudflare) logs to detect SQL injection attack campaigns. Parses ModSecurity audit logs and JSON WAF event logs to identify SQLi patterns (UNION SELECT, OR 1=1, SLEEP(), BENCHMARK()), tracks attack sources, correlates multi-stage injection attempts, and generates incident reports with OWASP classification.
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting SQL Injection via WAF Logs ## When to Use - When investigating security incidents that require detecting sql injection via waf logs - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Familiarity with security operations concepts and tools - Access to a test or lab environment for safe execution - Python 3.8+ with required dependencies installed - Appropriate authorization for any testing activities ## Instructions 1. Install dependencies: `pip install requests` 2. Collect WAF logs (ModSecurity audit log, AWS WAF JSON logs, or Cloudflare firewall events). 3. Run the agent to parse and analyze: - Detect SQLi payloads via 15+ regex patterns - Classify attacks by OWASP injection type (classic, blind, time-based, UNION-based) - Identify persistent attackers by IP clustering - Correlate multi-request injection campaigns - Calculate attack success probability based on response codes ```bash python scripts/agent.py --log-file /var/log/modsec_audit.log --format modsecurity --output sqli_report.json ``` ## Examples ### ModSecurity SQLi Detection ``` Rule 942100 triggered: SQL Injection Attack Detected via libinjection URI: /api/users?id=1' UNION SELECT username,password FROM users-- Source IP: 203.0.113.42 (47 requests in 5 minutes) Classification: UNION-based SQLi campaign ```