LoFP / in environments where multiple users legitimately access crushftp from behind the same nat or proxy, this may generate false positives. tune the threshold based on your organization's usage patterns.

Techniques

• T1110.001
• T1110.004

Sample rules

CrushFTP Max Simultaneous Users From IP

• source: splunk
• technicques:
  • T1110.001
  • T1110.004

Description

The following analytic identifies instances where CrushFTP has blocked access due to exceeding the maximum number of simultaneous connections from a single IP address. This activity may indicate brute force attempts, credential stuffing, or automated attacks against the CrushFTP server. This detection is particularly relevant following the discovery of CVE-2025-31161, an authentication bypass vulnerability in CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0.

Detection logic

`crushftp` "*User access not allowed.  Max simultaneous users from your IP*" 
| rex field=_raw "SESSION\\
|\\d+\\/\\d+\\/\\d+ \\d+:\\d+:\\d+\\.\\d+\\
|\\[HTTP:[^:]+:(?<user>[^:]+):(?<src_ip>[0-9\\.]+)\\]" 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip 
| where count >= 3 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `crushftp_max_simultaneous_users_from_ip_filter`