Hi all, how do i specifically filter FTP? I can use the filter below but it would also show me the other's normal FTP traffic. tcp.port==21 || tcp.port==20 ftp asked 10 Dec '16, 10:12  doran_lum edited 10 Dec '16, 23:13 |
One Answer:
An FTP dictionary attack is a normal login attempt, except the logins are being done by a program instead of a human being, the passwords and possibly the user names come from a text file, and the login is tried repeatedly until it succeeds or the username/password lists are exhausted. The way to distinguish a dictionary attack from normal logins is that the dictionary attack will normally be repeated many times until one of the logins finally succeeds, if it ever does. A human being might require two or three login attempts if he mistypes his password, but not dozens of attempts. Also, since the login attempts are being done by a program, they will happen more quickly that if a user was manually initiating each one. So, to see all login attempts, try this filter: ftp.request.command==USER || ftp.request.command==PASS You will have to determine if the login attempts you see are normal or are part of a dictionary attack. If you see multiple login attempts with the same user name, but different passwords each time, that's a strong clue that it could be a dictionary attack. answered 10 Dec '16, 10:52  Jim Aragon |
Editing your original question has caused the reply to not make any sense, since the question now being asked is different from the original question.
It's better to start a new topic if you have a different question, or to add comments to the original question if you need additional information. Editing is usually reserved for fixing typos or improving the wording, not for making a new question.