splunk · patel-bhavin · Oct 13, 2025 · Oct 5, 2025 · Oct 5, 2025 · Oct 5, 2025
@@ -0,0 +1,111 @@
+name: Ollama Server
+id: a7761a7c-ecaa-4164-8517-959cabfacaf9
+version: 1
+date: '2025-10-05'
+author: Rod Soto, Splunk
+description: 'Ollama server logs (HTTP access logs via GIN framework and system logs including GPU/CPU utilization, model loading, memory allocation, errors, and warnings) via Splunk TA-ollama add-on by configuring file monitoring inputs to your log directories (sourcetype: ollama:server), or enable HEC for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts).'
+sourcetype: ollama:server
+source: server.log
+supported_TA:
+- name: Splunk TA for Ollama
+ url: https://github.com/rosplk/ta-ollama
+ version: 0.1.3
+fields:
+- CPU_0_AVX
+- CPU_0_AVX2
+- CPU_0_AVX_VNNI
+- CPU_0_BMI2
+- CPU_0_F16C
+- CPU_0_FMA
+- CPU_0_LLAMAFILE
+- CPU_0_SSE3
+- CPU_0_SSSE3
+- CPU_1_LLAMAFILE
+- CUDA_0_ARCHS
+- CUDA_0_PEER_MAX_BATCH_SIZE
+- CUDA_0_USE_GRAPHS
+- LOG
+- OS
+- app
+- args
+- available
+- bundle
+- cmd
+- compiler
+- compute
+- cores
+- count
+- date_hour
+- date_mday
+- date_minute
+- date_month
+- date_second
+- date_wday
+- date_year
+- date_zone
+- dest
+- driver
+- efficiency
+- env
+- eventtype
+- free
+- free_swap
+- gpus
+- host
+- http_d
+- http_method
+- http_path
+- http_pattern
+- http_response_code
+- http_status
+- id
+- index
+- installer
+- interval
+- layers_model
+- layers_offload
+- layers_requested
+- layers_split
+- level
+- library
+- linecount
+- maxEfficiencyClass
+- memory_available
+- memory_gpu_overhead
+- memory_graph_full
+- memory_graph_partial
+- memory_required_allocations
+- memory_required_full
+- memory_required_kv
+- memory_required_partial
+- memory_weights_nonrepeating
+- memory_weights_repeating
+- memory_weights_total
+- model
+- msg
+- name
+- overhead
+- package
+- parallel
+- port
+- punct
+- request
+- request_id
+- required
+- response_time_ms
+- source
+- sourcetype
+- splunk_server
+- status
+- threads
+- threshold
+- time
+- timeendpos
+- timestartpos
+- tool_count
+- total
+- variant
+- vendor_product
+- version
+output_fields: []
+example_log: 'time=2025-10-02T14:46:19.789-04:00 level=INFO source=server.go:544 msg=offload library=cuda layers.requested=-1 layers.model=29 layers.offload=29 layers.split=[29] memory.available="[6.9 GiB]" memory.gpu_overhead="0 B" memory.required.full="3.1 GiB" memory.required.partial="3.1 GiB" memory.required.kv="448.0 MiB" memory.required.allocations="[3.1 GiB]" memory.weights.total="1.9 GiB" memory.weights.repeating="1.6 GiB" memory.weights.nonrepeating="308.2 MiB" memory.graph.full="256.5 MiB" memory.graph.partial="570.7 MiB"'
@@ -0,0 +1,62 @@
+name: Ollama Abnormal Network Connectivity
+id: 19ec30ad-faa2-496a-a6a9-f2e5f778fbdb
+version: 1
+date: '2025-10-05'
+author: Rod Soto
+status: experimental
+type: Anomaly
+description: Detects abnormal network activity and connectivity issues in Ollama including non-localhost API access attempts and warning-level network errors such as DNS lookup failures, TCP connection issues, or host resolution problems that may indicate network-based attacks, unauthorized access attempts, or infrastructure reconnaissance activity.
+data_source:
+- Ollama Server
+search: '`ollama_server` level=WARN (msg="*failed*" OR msg="*dial tcp*" OR msg="*lookup*" OR msg="*no such host*" OR msg="*connection*" OR msg="*network*" OR msg="*timeout*" OR msg="*unreachable*" OR msg="*refused*")
+| eval src=coalesce(src, src_ip, "N/A")
+| stats count as incidents, values(src) as src, values(msg) as warning_messages, latest(_time) as last_incident by host
+| eval last_incident=strftime(last_incident, "%Y-%m-%d %H:%M:%S")
+| eval severity="medium"
+| eval attack_type="Abnormal Network Connectivity"
+| stats count by last_incident, host, incidents, src, warning_messages, severity, attack_type
+| `ollama_abnormal_network_connectivity_filter`'
+how_to_implement: 'Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.'
+known_false_positives: Legitimate remote access from authorized users or applications connecting from non-localhost addresses, temporary network infrastructure issues causing DNS resolution failures, firewall or network configuration changes resulting in connection timeouts, cloud-hosted Ollama instances receiving valid external API requests, or intermittent connectivity problems during network maintenance may trigger this detection during normal operations.
+references:
+- https://github.com/rosplk/ta-ollama
+drilldown_searches:
+- name: View the detection results for - "$src$"
+ search: '%original_detection_search% | search "$src = "$src$"'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$",) starthoursago=168 | stats count min(_time)
+ as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+ as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+ as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+ by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+rba:
+ message: 'Abnormal network activity detected on $host$ with $incidents$ incidents from $src$. Investigation needed for network errors: $warning_messages$.'
+ risk_objects:
+ - field: host
+ type: system 
+ score: 10
+ threat_objects:
+ - field: src
+ type: system
+ score: 10
+tags:
+ analytic_story:
+ - Suspicious Ollama Activities
+ asset_type: Web Application
+ mitre_attack_id:
+ - T1571
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ security_domain: endpoint
+tests:
+- name: True Positive Test
+ attack_data:
+ - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/ollama/app.log
+ sourcetype: ollama:server
+ source: app.log
@@ -0,0 +1,77 @@
+name: Ollama Abnormal Service Crash Availability Attack
+id: 327fa152-9b56-4e4e-bc0b-2795d4068afa
+version: 1
+date: '2025-10-05'
+author: Rod Soto
+status: experimental
+type: Anomaly
+description: Detects critical service crashes, fatal errors, and abnormal process terminations in Ollama that may indicate exploitation attempts, resource exhaustion attacks, malicious input triggering unhandled exceptions, or deliberate denial of service attacks designed to disrupt AI model availability and degrade system stability.
+data_source:
+- Ollama Server
+search: '`ollama_server` (level=ERROR OR level=FATAL OR "service stopped" OR "terminated" OR "exit" OR "shutdown" OR "crash" OR "killed")
+| rex field=_raw "msg=\"(?<msg>[^\"]+)\""
+| rex field=_raw "exit_code=(?<exit_code>\d+)"
+| bin _time span=5m
+| stats count as termination_count,
+ earliest(_time) as first_seen,
+ latest(_time) as last_seen,
+ values(msg) as error_messages,
+ values(exit_code) as exit_codes,
+ dc(msg) as unique_errors
+ by host
+| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S")
+| eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S")
+| eval severity=case(
+ termination_count > 5, "critical",
+ termination_count > 2, "high",
+ 1=1, "medium"
+)
+| eval attack_type=case(
+ termination_count > 5, "Resource Exhaustion",
+ termination_count > 2, "Repeated Service Failures",
+ 1=1, "Service Instability"
+)
+| where termination_count > 1
+| table first_seen, last_seen, host, termination_count, unique_errors, error_messages, severity, attack_type
+| `ollama_abnormal_service_crash_availability_attack_filter`'
+how_to_implement: 'Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.'
+known_false_positives: Normal service restarts during system updates or maintenance windows, graceful shutdowns with non-zero exit codes, intentional service stops by administrators, software upgrades requiring process termination, out-of-memory conditions on resource-constrained systems, or known bugs in specific Ollama versions that cause benign crashes may trigger this detection during routine operations.
+references:
+- https://github.com/rosplk/ta-ollama
+drilldown_searches:
+- name: 'View the detection results for - "$host$"'
+ search: '%original_detection_search% | search host="$host$"'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+- name: 'View risk events for the last 7 days for - "$host$"'
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$host$") starthoursago=168 
+ | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" 
+ values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" 
+ values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" 
+ by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+rba:
+ message: 'Abnormal Ollama service termination detected on host $host$ between $first_seen$ and $last_seen$. Service stopped $termination_count$ times with $unique_errors$ unique error types. Severity: $severity$. Potential cause: $attack_type$. Error messages: $error_messages$ require investigation.'
+ risk_objects:
+ - field: host
+ type: system
+ score: 10
+ threat_objects: []
+tags:
+ analytic_story:
+ - Suspicious Ollama Activities
+ asset_type: Web Application
+ mitre_attack_id:
+ - T1489
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ security_domain: endpoint
+tests:
+- name: True Positive Test
+ attack_data:
+ - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/ollama/app.log
+ sourcetype: ollama:server
+ source: app.log
@@ -0,0 +1,57 @@
+name: Ollama Excessive API Requests
+id: 1cfab663-9adc-4169-a88c-6bae29ba3c70
+version: 1
+date: '2025-10-05'
+author: Rod Soto
+status: experimental
+type: Anomaly
+description: Detects potential Distributed Denial of Service (DDoS) attacks or rate limit abuse against Ollama API endpoints by identifying excessive request volumes from individual client IP addresses. This detection monitors GIN-formatted Ollama server logs to identify clients generating abnormally high request rates within short time windows, which may indicate automated attacks, botnet activity, or resource exhaustion attempts targeting local AI model infrastructure.
+data_source:
+- Ollama Server
+search: '`ollama_server` | rex field=_raw "\|\s+(?<client_ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})\s+\|"
+| eval src=coalesce(src, client_ip)
+| eval dest=coalesce(dest, url, uripath, endpoint)
+| bin _time span=5m
+| stats count as request_count by _time, src, dest, host
+| where request_count > 120 
+| eval severity="high"
+| eval attack_type="Rate Limit Abuse / DDoS"
+| stats count by _time, host, src, dest, request_count, severity, attack_type
+| `ollama_excessive_api_requests_filter`'
+how_to_implement: 'Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.' 
+known_false_positives: Legitimate automated services (CI/CD pipelines, monitoring tools, batch jobs), multiple users behind NAT/proxy infrastructure, or authorized load testing activities may trigger this detection during normal operations. Operator must adjust threshold accordingly. 
+references:
+- https://github.com/rosplk/ta-ollama
+drilldown_searches:
+- name: View the detection results for - "$src$"
+ search: '%original_detection_search% | search "$src = "$src$"'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+rba:
+ message: Possible DDoS attack from $src$ against Ollama server detected with request count $request_count$ in 1 minute, potentially causing service degradation or complete unavailability.
+ risk_objects:
+ - field: src
+ type: system
+ score: 10
+ threat_objects: []
+tags:
+ analytic_story:
+ - Suspicious Ollama Activities
+ asset_type: Web Application
+ mitre_attack_id:
+ - T1498
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ security_domain: endpoint
+tests:
+- name: True Positive Test
+ attack_data:
+ - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/ollama/server.log
+ sourcetype: ollama:server
+ source: server.log
@@ -0,0 +1,59 @@
+name: Ollama Possible API Endpoint Scan Reconnaissance
+id: ad3f352a-0347-48ee-86b9-670b5025a548
+version: 1
+date: '2025-10-05'
+author: Rod Soto
+status: experimental
+type: Anomaly
+description: Detects API reconnaissance and endpoint scanning activity against Ollama servers by identifying sources probing multiple API endpoints within short timeframes, particularly when using HEAD requests or accessing diverse endpoint paths, which indicates systematic enumeration to map the API surface, discover hidden endpoints, or identify vulnerabilities before launching targeted attacks.
+data_source:
+- Ollama Server
+search: '`ollama_server` "[GIN]" 
+| bin _time span=5m
+| stats count as total_requests, values(dest) as dest, values(http_method) as methods, values(status) as status_codes by _time, src, host
+| where total_requests > 120
+| eval severity="medium"
+| eval attack_type="API Activity Surge"
+| stats count by _time, host, src, total_requests, dest, methods, status_codes, severity, attack_type
+| `ollama_possible_api_endpoint_scan_reconnaissance_filter`'
+how_to_implement: 'Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.'
+known_false_positives: Legitimate web application clients or mobile apps that access multiple API endpoints as part of normal functionality, monitoring and health check systems probing various endpoints for availability, load balancers performing health checks across different paths, API testing frameworks during development and QA processes, or users navigating through web interfaces that trigger multiple API calls may generate similar patterns during normal operations.
+references:
+- https://github.com/rosplk/ta-ollama
+drilldown_searches:
+- name: View the detection results for - "$src$"
+ search: '%original_detection_search% | search "$src = "$src$"'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+- name: View risk events for the last 7 days for - "$src$"
+ search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src$") starthoursago=168 | stats count min(_time)
+ as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message)
+ as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all)
+ as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics"
+ by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+ earliest_offset: $info_min_time$
+ latest_offset: $info_max_time$
+rba:
+ message: API reconnaissance activity detected from $src$ on $host$ with $total_requests$ requests across different endpoints using methods $methods$ and receiving status codes $status_codes$, indicating systematic endpoint enumeration to map API attack surface and identify potential vulnerabilities.
+ risk_objects:
+ - field: src
+ type: system
+ score: 10
+ threat_objects: []
+tags:
+ analytic_story:
+ - Suspicious Ollama Activities
+ asset_type: Web Application
+ mitre_attack_id:
+ - T1595
+ product:
+ - Splunk Enterprise
+ - Splunk Enterprise Security
+ - Splunk Cloud
+ security_domain: endpoint
+tests:
+- name: True Positive Test
+ attack_data:
+ - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/ollama/server.log
+ sourcetype: ollama:server
+ source: server.log