Detection: CrushFTP Max Simultaneous Users From IP

Updated Date: 2025-04-08 ID: 75dfd9f4-ca64-45d0-9422-4bde6d26a59e Author: Michael Haag, Splunk Type: Anomaly Product: Splunk Enterprise Security

Description

The following analytic identifies instances where CrushFTP has blocked access due to exceeding the maximum number of simultaneous connections from a single IP address. This activity may indicate brute force attempts, credential stuffing, or automated attacks against the CrushFTP server. This detection is particularly relevant following the discovery of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

Search

1`crushftp` "*User access not allowed.  Max simultaneous users from your IP*" 
2| rex field=_raw "SESSION\\
3|\\d+\\/\\d+\\/\\d+ \\d+:\\d+:\\d+\\.\\d+\\
4|\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[0-9\\.]+)\\]" 
5| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip 
6| where count >= 3 
7| `security_content_ctime(firstTime)` 
8| `security_content_ctime(lastTime)` 
9| `crushftp_max_simultaneous_users_from_ip_filter`

Data Source

Name	Platform	Sourcetype	Source
CrushFTP	N/A	`'crushftp:sessionlogs'`	`'crushftp'`

Macros Used

Name	Value
crushftp	`sourcetype="crushftp:sessionlogs"`
crushftp_max_simultaneous_users_from_ip_filter	`search *`

crushftp_max_simultaneous_users_from_ip_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Annotations

- MITRE ATT&CK

+ Kill Chain Phases

+ NIST

+ CIS

- Threat Actors

ID	Technique	Tactic
T1110.001	Password Guessing	Credential Access
T1110.004	Credential Stuffing	Credential Access

Exploitation

DE.AE

CIS 13

APT29

Chimera

Default Configuration

This detection is configured by default in Splunk Enterprise Security to run with the following settings:

Setting	Value
Disabled	true
Cron Schedule	`0 * * * *`
Earliest Time	`-70m@m`
Latest Time	`-10m@m`
Schedule Window	`auto`
Creates Risk Event	True

This configuration file applies to all detections of type anomaly. These detections will use Risk Based Alerting.

Implementation

To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. Ensure the sourcetype is correctly set for the CrushFTP logs. The detection requires the SESSION field and the "[HTTP:*:user:IP]" format in the logs. Adjust the threshold in the "where count >= 3" clause based on your environment's normal behavior.

Known False Positives

In environments where multiple users legitimately access CrushFTP from behind the same NAT or proxy, this may generate false positives. Tune the threshold based on your organization's usage patterns.

Associated Analytic Story

CrushFTP Vulnerabilities

Risk Based Analytics (RBA)

Risk Message:

Potential brute force or automated attack against CrushFTP detected from IP $src_ip$

Risk Object	Risk Object Type	Risk Score	Threat Objects
src_ip	system	45	No Threat Objects

References

Detection Testing

Test Type	Status	Dataset	Source	Sourcetype
Validation	✅ Passing	N/A	N/A	N/A
Unit	✅ Passing	Dataset	`crushftp`	`crushftp:sessionlogs`
Integration	✅ Passing	Dataset	`crushftp`	`crushftp:sessionlogs`

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

Source: GitHub | Version: 1