To verify that the FTP Sensor is running and is configured correctly, the following test could be executed. All the tests are executed with NMAP NSE scripts to impersonate real attacks by bots and/or hackers.
Open FTP Ports
To check if the FTP sensor is running on port 445 we could execute the following NMAP query:
nmap -sV -p 21 <ip of honeypot>
If the sensor is correctly configured, we expect the following result:
Nmap scan report for <ip of honeypot> Host is up (0.0014s latency).
PORT STATE SERVICE VERSION 21/tcp open ftp ?
MAC Address: 08:00:00:00:00:01 (Unknown)
Connecting over (s)FTP
We can trigger an attack using FileZilla Client. Connect to the honeypot as host. Username and Password are not required(Anonymous), but can be entered. Use the configured port to connect (21 by default).
Connect via the method active and transfer binary files (like images).