Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to detect xz-lib CVE-2024-3094 with Splunk® Enterprise

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:20 AM

How to detect CVE-2024-3094 with Splunk?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:21 AM

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)



If anyone else has anything to add, please reply or add your answer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:21 AM

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)



If anyone else has anything to add, please reply or add your answer.

0 Karma
Reply
Solved! Jump to solution

falco
Engager
a month ago

Shouldn't we be looking for xz-utils rather than xz-libs?

like this
source=package sourcetype=package NAME=xz-utils

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
a month ago

It may depend on the OS version.  In mine when I did dpkg -l | grep xz, that's the only one I see.  I thought about xz*.  That might be a better play here. 

is lib different from util or just different names per OS?

 

thanks for the feedback!

Reply
Get Updates on the Splunk Community!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...

Splunk APM: New Product Features + Community Office Hours Recap!

Howdy Splunk Community! Over the past few months, we’ve had a lot going on in the world of Splunk Application ...

Index This | Forward, I’m heavy; backward, I’m not. What am I?

April 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...