legitimate remote access from authorized users or applications connecting from non-localhost addresses, temporary network infrastructure issues causing dns resolution failures, firewall or network configuration changes resulting in connection timeouts, cloud-hosted ollama instances receiving valid external api requests, or intermittent connectivity problems during network maintenance may trigger this detection during normal operations.

Techniques

T1571

Sample rules

Ollama Abnormal Network Connectivity

source: splunk
technicques:
- T1571

Description

Detects abnormal network activity and connectivity issues in Ollama including non-localhost API access attempts and warning-level network errors such as DNS lookup failures, TCP connection issues, or host resolution problems that may indicate network-based attacks, unauthorized access attempts, or infrastructure reconnaissance activity.

Detection logic

`ollama_server` level=WARN (msg="*failed*" OR msg="*dial tcp*" OR msg="*lookup*" OR msg="*no such host*" OR msg="*connection*" OR msg="*network*" OR msg="*timeout*" OR msg="*unreachable*" OR msg="*refused*") 
| eval src=coalesce(src, src_ip, "N/A") 
| stats count as incidents, values(src) as src, values(msg) as warning_messages, latest(_time) as last_incident by host 
| eval last_incident=strftime(last_incident, "%Y-%m-%d %H:%M:%S") 
| eval severity="medium" 
| eval attack_type="Abnormal Network Connectivity" 
| stats count by last_incident, host, incidents, src, warning_messages, severity, attack_type 
| `ollama_abnormal_network_connectivity_filter`