Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to detect xz-lib CVE-2024-3094 with Splunk® Enterprise

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:20 AM

How to detect CVE-2024-3094 with Splunk?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:21 AM

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)



If anyone else has anything to add, please reply or add your answer.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

jkat54
SplunkTrust
SplunkTrust
‎03-30-2024 07:21 AM

Step 1: Prerequisites:

a. Splunk® Universal Forwarder w/Splunk_TA_nix installed
b. "Package.sh" should be enabled similar to the example below

Note: that the UF needs to be restarted to enable the input if it was previously started without the input.

Step 2: Deploy the updated inputs / app

If you need to deploy the app out, you'll only need to deploy it to Linux hosts. Do make sure you enable splunkd restart on your app deployment

Step 3. Detect the CVE

Now allow time for the data to arrive at your indexing tier and you should be able to run this search as a detection

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")

Note: You may need to add index=os or index=Your_Linux_TA_Data_Index_here, but by default the data will be in index=main

You'll probably want to take the search a few steps further. First thing that comes to our mind is adding a "| stats latest(_time) as latest_time by host". When you manipulate _time like that you'll notice it converts to epoch, so you'll probably want to convert it back to human readable format with "| convert ctime(latest_time)". The full search might look something like this:

source=package sourcetype=package NAME=xz-libs VERSION IN ("5.6.0","5.6.1")
| stats latest(_time) as latest_time by host
| convert ctime(latest_time)



If anyone else has anything to add, please reply or add your answer.

0 Karma
Reply
Solved! Jump to solution

falco
Engager
‎03-31-2024 06:45 PM

Shouldn't we be looking for xz-utils rather than xz-libs?

like this
source=package sourcetype=package NAME=xz-utils

Reply
Solved! Jump to solution

jkat54
SplunkTrust
SplunkTrust
‎04-01-2024 04:10 AM

It may depend on the OS version.  In mine when I did dpkg -l | grep xz, that's the only one I see.  I thought about xz*.  That might be a better play here. 

is lib different from util or just different names per OS?

 

thanks for the feedback!

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...