Splunk

Ollama Abnormal Network Connectivity

Last updated 2 days ago on 2026-07-17

About

Detects abnormal network activity and connectivity issues in Ollama including non-localhost API access attempts and warning-level network errors such as DNS lookup failures, TCP connection issues, or host resolution problems that may indicate network-based attacks, unauthorized access attempts, or infrastructure reconnaissance activity.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://github.com/rosplk/ta-ollama(external, opens in a new tab or window)
False Positives
Legitimate remote access from authorized users or applications connecting from non-localhost addresses, temporary network infrastructure issues causing DNS resolution failures, firewall or network configuration changes resulting in connection timeouts, cloud-hosted Ollama instances receiving valid external API requests, or intermittent connectivity problems during network maintenance may trigger this detection during normal operations.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`ollama_server` level=WARN (msg="*failed*" OR msg="*dial tcp*" OR msg="*lookup*" OR msg="*no such host*" OR msg="*connection*" OR msg="*network*" OR msg="*timeout*" OR msg="*unreachable*" OR msg="*refused*") | eval src=coalesce(src, src_ip, "N/A") | stats count as incidents, values(src) as src, values(msg) as warning_messages, latest(_time) as last_incident BY host | eval last_incident=strftime(last_incident, "%Y-%m-%d %H:%M:%S") | eval severity="medium" | eval attack_type="Abnormal Network Connectivity" | stats count BY last_incident, host, incidents, src, warning_messages, severity, attack_type | `ollama_abnormal_network_connectivity_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).