Splunk Endpoint Denial of Service DoS Zip Bomb
Description
The following analytic identifies crashes in the Splunk search app caused by specially crafted ZIP files, affecting Universal Forwarder versions 8.1.11 and 8.2 versions below 8.2.7.1. It detects this activity by monitoring Universal Forwarder error logs for specific messages indicating invalid or binary file issues. This activity is significant because it can disrupt Splunk operations, leading to potential data loss or monitoring gaps. If confirmed malicious, this attack could result in a denial of service, hindering the organization's ability to monitor and respond to other security incidents effectively.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-27
- Author: Marissa Bower, Rod Soto, Splunk
- ID: b237d393-2f57-4531-aad7-ad3c17c8b041
Annotations
Kill Chain Phase
- Actions On Objectives
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
`splunkd` component=FileClassifierManager event_message=*invalid* event_message=*binary*
|stats count by host component event_message
| `splunk_endpoint_denial_of_service_dos_zip_bomb_filter`
Macros
The SPL above uses the following Macros:
splunk_endpoint_denial_of_service_dos_zip_bomb_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- source
- component
- event_message
- host
How To Implement
Need to monitor Splunkd data from Universal Forwarders.
Known False Positives
This search may reveal non malicious zip files causing errors as well.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 75.0 | 100 | 75 | Potential exposure of environment variables from url embedded in dashboard |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2