Last active
May 4, 2026 07:42
-
-
Save dglauche/748bef24e5bc35789c8906333804f567 to your computer and use it in GitHub Desktop.
SPL Query for CVE-2026-31431 / CopyFail
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| index=linux* sourcetype IN ("auditd", "linux:auditd:enriched") TERM(proctitle) | |
| | rex "proctitle=(?P<proctitle>.*)" | |
| | eval proctitle_clean = urldecode(replace(proctitle,"([0-9A-F]{2})","%\1")) | |
| | search proctitle_clean="*/sbin/modprobe*" AND proctitle_clean IN ("*net-pf-38*", "*algif-aead*", "*crypto-authencesn*") | |
| | eval | |
| is_net_pf_38 = if(match(proctitle_clean, ".*net-pf-38.*"), 1, 0), | |
| is_algif_aead = if(match(proctitle_clean, ".*algif-aead.*"), 1, 0), | |
| is_crypto_authencesn = if(match(proctitle_clean, ".*crypto-authencesn.*"), 1, 0) | |
| | bin _time span=1m | |
| | stats sum(is_net_pf_38) as net_pf_38, sum(is_algif_aead) AS algif_aead, sum(is_crypto_authencesn) AS crypto_authencesn by host, _time | |
| | search net_pf_38 >= 1 AND algif_aead >= 1 AND crypto_authencesn >= 2 | |
| | stats dc(_time) as exection_count, values(_time) as exection_time by host | |
| | eval exection_time=strftime(exection_time, "%Y-%m-%d %H:%M") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment