Detection: Ollama Possible Model Exfiltration Data Leakage

EXPERIMENTAL DETECTION

This detection status is set to experimental. The Splunk Threat Research team has not yet fully tested, simulated, or built comprehensive datasets for this detection. As such, this analytic is not officially supported. If you have any questions or concerns, please reach out to us at research@splunk.com.

Updated Date: 2025-10-05 ID: c9fd1a54-0eab-4470-8970-d5fcc3c740fb Author: Rod Soto Type: Anomaly Product: Splunk Enterprise Security

Description

Detects data leakage and exfiltration attempts targeting Ollama model metadata and configuration endpoints. Adversaries repeatedly query /api/show, /api/tags, and /api/v1/models to systematically extract sensitive model information including architecture details, fine-tuning parameters, system paths, Modelfile configurations, and proprietary customizations. Multiple inspection attempts within a 15-minute window indicate automated exfiltration of valuable intellectual property such as custom model configurations, system prompts, and internal model specifications. This activity represents unauthorized data disclosure that could enable competitive intelligence gathering, model replication, or preparation for advanced attacks against the AI infrastructure.

Search

 1`ollama_server` 
 2| rex field=_raw "\
 3|\s+(?<status_code>\d+)\s+\
 4|\s+(?<response_time>[\d\.]+)s\s+\
 5|\s+(?<src_ip>[\:\da-f\.]+)\s+\
 6|\s+(?<http_method>\w+)\s+\"(?<uri_path>[^\"]+)\"" 
 7| eval src=src_ip 
 8| eval dest=uri_path 
 9| where response_time > 55 
10| bin _time span=15m 
11| stats count, avg(response_time) as avg_response_time, max(response_time) as max_response_time by _time, src, dest, uri_path 
12| eval avg_response_time=round(avg_response_time, 2) 
13| eval max_response_time=round(max_response_time, 2) 
14| eval severity=case( avg_response_time > 50, "high", avg_response_time > 40, "medium", 1=1, "low" ) 
15| eval attack_type="Potential Data Exfiltration" 
16| sort -_time 
17| stats count by _time, src, uri_path, avg_response_time, max_response_time, severity, attack_type 
18| `ollama_possible_model_exfiltration_data_leakage_filter`

Data Source

Name	Platform	Sourcetype	Source
Ollama Server	N/A	`'ollama:server'`	`'server.log'`

Macros Used

Name	Value
ollama_server	`(sourcetype="ollama:server")`
ollama_possible_model_exfiltration_data_leakage_filter	`search *`

ollama_possible_model_exfiltration_data_leakage_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1048	Exfiltration Over Alternative Protocol	Exfiltration

Actions on Objectives

DE.AE

CIS 10

TeamTNT

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

Ingest Ollama logs via Splunk TA-ollama add-on by configuring file monitoring inputs pointed to your Ollama server log directories (sourcetype: ollama:server), or enable HTTP Event Collector (HEC) for real-time API telemetry and prompt analytics (sourcetypes: ollama:api, ollama:prompts). CIM compatibility using the Web datamodel for standardized security detections.

Known False Positives

Legitimate administrative activities such as model inventory management, monitoring dashboards polling model status, automated health checks verifying model availability, CI/CD pipelines validating deployments, development tools inspecting model configurations, or users browsing available models through management interfaces may trigger this detection during normal operations. Adjust the threshold based on your environment's baseline activity.

Associated Analytic Story

Suspicious Ollama Activities

Risk Based Analytics (RBA)

Risk Message:

Potential model data exfiltration detected from $src$ with $avg_response_time$ attempts across endpoints, indicating systematic extraction of sensitive model configurations, architecture details, and proprietary customizations that may constitute intellectual property theft.

Risk Object	Risk Object Type	Risk Score	Threat Objects
src	system	10	No Threat Objects

References

https://github.com/rosplk/ta-ollama

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	Not Applicable	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`server.log`	`ollama:server`
Integration	✅ Passing	Dataset	`server.log`	`ollama:server`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1