SQL Traffic to the Internet | Elastic Security Solution [7.9]

The SIEM app is now a part of the Elastic Security solution. Click here to view SIEM documentation for previous releases.

› › ›

« SMTP to the Internet SSH (Secure Shell) from the Internet »

SQL Traffic to the Internetedit

Detects events that may describe database traffic (MS SQL, Oracle, MySQL, and Postgresql) across the Internet. Databases should almost never be directly exposed to the Internet, as they are frequently targeted by threat actors to gain initial access to network resources.

Rule type: query

Rule indices:

filebeat-*
packetbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

Tags:

Elastic
Network

Version: 4 (version history)

Added (Elastic Stack release): 7.6.0

Last modified (Elastic Stack release): 7.9.0

Rule authors: Elastic

Rule license: Elastic License

Potential false positivesedit

Because these ports are in the ephemeral range, this rule may false under certain conditions such as when a NATed web server replies to a client which has used a port in the range by coincidence. In this case, such servers can be excluded if desired. Some cloud environments may use this port when VPNs or direct connects are not in use and database instances are accessed directly across the Internet.

Rule queryedit

event.category:(network or network_traffic) and network.transport:tcp
and (destination.port:(1433 or 1521 or 3306 or 5432) or
event.dataset:zeek.mysql) and source.ip:(10.0.0.0/8 or 172.16.0.0/12
or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8
or 172.16.0.0/12 or 192.168.0.0/16 or "::1")

Threat mappingedit

Framework: MITRE ATT&CK^TM

Tactic:
- Name: Command and Control
- ID: TA0011
- Reference URL: https://attack.mitre.org/tactics/TA0011/
Technique:
- Name: Commonly Used Port
- ID: T1043
- Reference URL: https://attack.mitre.org/techniques/T1043/

Rule version historyedit

Version 4 (7.9.0 release)

Updated query, changed from:

network.transport:tcp and destination.port:(1433 or 1521 or 3336 or
5432) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16)
and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or
192.168.0.0/16 or "::1")

Version 3 (7.7.0 release)

Updated query, changed from:

network.transport: tcp and destination.port: (1433 or 1521 or 3336 or
5432) and ( network.direction: outbound or ( source.ip: (10.0.0.0/8
or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:
(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) ) )

Version 2 (7.6.1 release)

Removed auditbeat-*, packetbeat-*, and winlogbeat-* from the rule indices.

« SMTP to the Internet SSH (Secure Shell) from the Internet »