Here's a pic of a wireshark capture of poet in action
since poet's beacons are woefully simple and literally based on whether the client can socket.connect() to the server, at a network level, this equates to a client sending a tcp syn, and the unlistening server sending back a tcp rst. this is pretty noisy, and all those rsts are really suspicious looking if anyone's looking at traffic.
really need to refactor the beacons to use an actual protocol (beacon over http(s), dns, etc). good examples for this might be
Here's a pic of a wireshark capture of poet in action
since poet's beacons are woefully simple and literally based on whether the client can socket.connect() to the server, at a network level, this equates to a client sending a tcp syn, and the unlistening server sending back a tcp rst. this is pretty noisy, and all those rsts are really suspicious looking if anyone's looking at traffic.
really need to refactor the beacons to use an actual protocol (beacon over http(s), dns, etc). good examples for this might be