Name:CrushFTP Max Simultaneous Users From IP id:75dfd9f4-ca64-45d0-9422-4bde6d26a59e version:1 date:2025-04-08 author:Michael Haag, Splunk status:production type:Anomaly Description:The following analytic identifies instances where CrushFTP has blocked access due to exceeding the maximum number of simultaneous connections from a single IP address. This activity may indicate brute force attempts, credential stuffing, or automated attacks against the CrushFTP server. This detection is particularly relevant following the discovery of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. Data_source:
-CrushFTP
search:`crushftp` "*User access not allowed. Max simultaneous users from your IP*" | rex field=_raw "SESSION\\|\\d+\\/\\d+\\/\\d+ \\d+:\\d+:\\d+\\.\\d+\\|\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[0-9\\.]+)\\]" | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip | where count >= 3 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `crushftp_max_simultaneous_users_from_ip_filter`
how_to_implement:To implement this detection, you need to ingest CrushFTP logs into your Splunk environment. Configure CrushFTP to forward logs to Splunk via a syslog forwarder or direct file monitoring. Ensure the sourcetype is correctly set for the CrushFTP logs. The detection requires the SESSION field and the "[HTTP:*:user:IP]" format in the logs. Adjust the threshold in the "where count >= 3" clause based on your environment's normal behavior. known_false_positives:In environments where multiple users legitimately access CrushFTP from behind the same NAT or proxy, this may generate false positives. Tune the threshold based on your organization's usage patterns. References: -https://www.huntress.com/blog/crushftp-cve-2025-31161-auth-bypass-and-post-exploitation -https://nvd.nist.gov/vuln/detail/CVE-2025-31161 -https://www.crushftp.com/crush11wiki/Wiki.jsp?page=Update drilldown_searches: name:'View the detection results for - "$src_ip$"' search:'%original_detection_search% | search src_ip = "$src_ip$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$src_ip$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$src_ip$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'CrushFTP Vulnerabilities' asset_type:Web Server mitre_attack_id: - 'T1110.001' - 'T1110.004' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:network cve: - 'CVE-2025-31161'
