Detection: CrushFTP Max Simultaneous Users From IP

Description

The following analytic identifies instances where CrushFTP has blocked access due to exceeding the maximum number of simultaneous connections from a single IP address. This activity may indicate brute force attempts, credential stuffing, or automated attacks against the CrushFTP server. This detection is particularly relevant following the discovery of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

1`crushftp` "*User access not allowed.  Max simultaneous users from your IP*" 
2| rex field=_raw "SESSION\\
3|\\d+\\/\\d+\\/\\d+ \\d+:\\d+:\\d+\\.\\d+\\
4|\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[0-9\\.]+)\\]" 
5| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip 
6| where count >= 3 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)` 
9| `crushftp_max_simultaneous_users_from_ip_filter`

Data Source

Name Platform Sourcetype Source
CrushFTP N/A 'crushftp:sessionlogs' 'crushftp'

Macros Used

Name Value
crushftp sourcetype="crushftp:sessionlogs"
crushftp_max_simultaneous_users_from_ip_filter search *
crushftp_max_simultaneous_users_from_ip_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK
+ Kill Chain Phases
+ NIST
+ CIS
- Threat Actors
ID Technique Tactic
T1110.001 Password Guessing Credential Access
T1110.004 Credential Stuffing Credential Access
Exploitation
DE.AE
CIS 13

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting Value
Disabled true
Cron Schedule 0 * * * *
Earliest Time -70m@m
Latest Time -10m@m
Schedule Window auto
Creates Risk Event True
This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. Ensure the sourcetype is correctly set for the CrushFTP logs. The detection requires the SESSION field and the "[HTTP:*:user:IP]" format in the logs. Adjust the threshold in the "where count >= 3" clause based on your environment's normal behavior.

Known False Positives

In environments where multiple users legitimately access CrushFTP from behind the same NAT or proxy, this may generate false positives. Tune the threshold based on your organization's usage patterns.

Associated Analytic Story

Risk Based Analytics (RBA)

Risk Message:

Potential brute force or automated attack against CrushFTP detected from IP $src_ip$

Risk Object Risk Object Type Risk Score Threat Objects
src_ip system 45 No Threat Objects

References

Detection Testing

Test Type Status Dataset Source Sourcetype
Validation Passing N/A N/A N/A
Unit Passing Dataset crushftp crushftp:sessionlogs
Integration ✅ Passing Dataset crushftp crushftp:sessionlogs

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range


Source: GitHub | Version: 1