/
splunk_dos_via_malformed_s2s_request.yml
62 lines (62 loc) · 1.92 KB
/
splunk_dos_via_malformed_s2s_request.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: Splunk DoS via Malformed S2S Request
id: fc246e56-953b-40c1-8634-868f9e474cbd
version: 2
date: '2022-03-24'
author: Lou Stella, Splunk
status: production
type: TTP
description: On March 24th, 2022, Splunk published a security advisory for a possible
Denial of Service stemming from the lack of validation in a specific key-value field
in the Splunk-to-Splunk (S2S) protocol. This detection will alert on attempted exploitation
in patched versions of Splunk.
data_source:
- Splunk
search: '`splunkd` log_level="ERROR" component="TcpInputProc" thread_name="FwdDataReceiverThread"
"Invalid _meta atom" | table host, src | `splunk_dos_via_malformed_s2s_request_filter`'
how_to_implement: This detection does not require you to ingest any new data. The
detection does require the ability to search the _internal index. This detection
will only find attempted exploitation on versions of Splunk already patched for
CVE-2021-3422.
known_false_positives: None.
references:
- https://www.splunk.com/en_us/product-security/announcements/svd-2022-0301.html
tags:
analytic_story:
- Splunk Vulnerabilities
asset_type: Endpoint
confidence: 100
cve:
- CVE-2021-3422
impact: 50
message: An attempt to exploit CVE-2021-3422 was detected from $src$ against $host$
mitre_attack_id:
- T1498
observable:
- name: host
type: Hostname
role:
- Victim
- name: src
type: IP Address
role:
- Attacker
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- host
- src
- log_level
- component
- thread_name
risk_score: 50
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1498/splunk_indexer_dos/splunkd.log
source: /opt/splunk/var/log/splunk/splunkd.log
sourcetype: splunkd
update_timestamp: true
custom_index: _internal