normal service restarts during system updates or maintenance windows, graceful shutdowns with non-zero exit codes, intentional service stops by administrators, software upgrades requiring process termination, out-of-memory conditions on resource-constrained systems, or known bugs in specific ollama versions that cause benign crashes may trigger this detection during routine operations.

Techniques

T1489

Sample rules

Ollama Abnormal Service Crash Availability Attack

source: splunk
technicques:
- T1489

Description

Detects critical service crashes, fatal errors, and abnormal process terminations in Ollama that may indicate exploitation attempts, resource exhaustion attacks, malicious input triggering unhandled exceptions, or deliberate denial of service attacks designed to disrupt AI model availability and degrade system stability.

Detection logic

`ollama_server` (level=ERROR OR level=FATAL OR "service stopped" OR "terminated" OR "exit" OR "shutdown" OR "crash" OR "killed") 
| rex field=_raw "msg=\"(?<msg>[^\"]+)\"" 
| rex field=_raw "exit_code=(?<exit_code>\d+)" 
| bin _time span=5m 
| stats count as termination_count, earliest(_time) as first_seen, latest(_time) as last_seen, values(msg) as error_messages, values(exit_code) as exit_codes, dc(msg) as unique_errors by host 
| eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S") 
| eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S") 
| eval severity=case( termination_count > 5, "critical", termination_count > 2, "high", 1=1, "medium" ) 
| eval attack_type=case( termination_count > 5, "Resource Exhaustion", termination_count > 2, "Repeated Service Failures", 1=1, "Service Instability" ) 
| where termination_count > 1 
| table first_seen, last_seen, host, termination_count, unique_errors, error_messages, severity, attack_type 
| `ollama_abnormal_service_crash_availability_attack_filter`