Splunk DoS via POST Request Datamodel Endpoint
Description
The following is a hunting search that allows investigation of error messages indicating Splunk HTTP engine shutdown as a result of a crafted posted request against '/datamodel/model' endpoint.
- Type: Hunting
-
Product: Splunk Enterprise
- Last Updated: 2024-07-01
- Author: Rod Soto
- ID: 45766810-dbb2-44d4-b889-b4ba3ee0d1f5
Annotations
Kill Chain Phase
- Actions On Objectives
NIST
- DE.AE
CIS20
- CIS 10
CVE
| ID | Summary | CVSS |
|---|---|---|
Search
1
2
3
4
5
`splunkd_webs` log_level=INFO message="ENGINE: HTTP Server cherrypy._cpwsgi_server.CPWSGIServer(('127.0.0.1', 8065)) shut down"
| stats count min(_time) as firstTime max(_time) as lastTime by splunk_server message
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `splunk_dos_via_post_request_datamodel_endpoint_filter`
Macros
The SPL above uses the following Macros:
splunk_dos_via_post_request_datamodel_endpoint_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- UPDATE
How To Implement
Need access to the internal indexes.
Known False Positives
This is a hunting search and will produce false positives as other causes can also shut down splunk HTTP engine, however this denial of service error is associated to a request to the datamodel/model endpoing which operator can research and find proximity of request and message in logs.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 50.0 | 100 | 50 | Possible Denial of Service attack against $splunk_server$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1