Splunk

Ollama Abnormal Service Crash Availability Attack

Last updated 2 days ago on 2026-07-17

About

Detects critical service crashes, fatal errors, and abnormal process terminations in Ollama that may indicate exploitation attempts, resource exhaustion attacks, malicious input triggering unhandled exceptions, or deliberate denial of service attacks designed to disrupt AI model availability and degrade system stability.
Platform
Splunk
Tags
Data Source: SplunkDomain: ApplicationRule Type: QueryOS: Any
Severity
medium
Risk Score
47
References
https://github.com/rosplk/ta-ollama(external, opens in a new tab or window)
False Positives
Normal service restarts during system updates or maintenance windows, graceful shutdowns with non-zero exit codes, intentional service stops by administrators, software upgrades requiring process termination, out-of-memory conditions on resource-constrained systems, or known bugs in specific Ollama versions that cause benign crashes may trigger this detection during routine operations.
Source
View on GitHub(external, opens in a new tab or window)

Definition

Rule Language
SPL
Rule Type
query
text code block:
`ollama_server` (level=ERROR OR level=FATAL OR "service stopped" OR "terminated" OR "exit" OR "shutdown" OR "crash" OR "killed") | rex field=_raw "msg=\"(?<msg>[^\"]+)\"" | rex field=_raw "exit_code=(?<exit_code>\d+)" | bin _time span=5m | stats count as termination_count, earliest(_time) as first_seen, latest(_time) as last_seen, values(msg) as error_messages, values(exit_code) as exit_codes, dc(msg) as unique_errors by host | eval first_seen=strftime(first_seen, "%Y-%m-%d %H:%M:%S") | eval last_seen=strftime(last_seen, "%Y-%m-%d %H:%M:%S") | eval severity=case( termination_count > 5, "critical", termination_count > 2, "high", 1=1, "medium" ) | eval attack_type=case( termination_count > 5, "Resource Exhaustion", termination_count > 2, "Repeated Service Failures", 1=1, "Service Instability" ) | where termination_count > 1 | table first_seen, last_seen, host, termination_count, unique_errors, error_messages, severity, attack_type | `ollama_abnormal_service_crash_availability_attack_filter`

View this rule on Splunk

This rule was sourced from the official Splunk public repository. View the original rule on GitHub(external, opens in a new tab or window).