How to detect CVE-2024-3094 with Splunk?
a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below
Note: that the UF needs to be restarted to enable the input if it was previously started without the input.
If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment
Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection
source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main
You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:
source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1") | stats latest(_time) as latest_time by host | convert ctime(latest_time)
If anyone else has anything to add, please reply or add your answer.
a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below
Note: that the UF needs to be restarted to enable the input if it was previously started without the input.
If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment
Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection
source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main
You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:
source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1") | stats latest(_time) as latest_time by host | convert ctime(latest_time)
If anyone else has anything to add, please reply or add your answer.
Shouldn't we be looking for xz-utils rather than xz-libs?
like this
source=package sourcetype=package NAME=xz-utils
It may depend on the OS version. In mine when I did dpkg -l | grep xz, that's the only one I see. I thought about xz*. That might be a better play here.
is lib different from util or just different names per OS?
thanks for the feedback!