Closed smooshkid closed 1 year ago
I would also like to see this feature. I've changed SSH to a different port and now getting alerts when connecting to ssh.
Hi @smooshkid and @leviustinov,
Its an interesting idea for sure. So you would like the opencanary's portscan service to only listen for scans on certain ports and ignore others? Ill bring that idea up and see what we can do.
Opencanary is seeing Windows Update Delivery Optimization as being a scan ran on the canary host. This service uses port 7680. So being able to ignore traffic using said port would be great.
@jayjb
Opencanary is seeing Windows Update Delivery Optimization as being a scan ran on the canary host. This service uses port 7680. So being able to ignore traffic using said port would be great.
Another use case is Anydesk - by default it scans locally (feature called Discovery) on port 7070.
I would also like to add the idea of adding a "port ignore list" for the portscan service. From my very low level understanding of the python code it looks to me that we would need to change the logging.
I am currently using this hack in portscan.py which does seem to do the job
if (self.ignore_localhost and data.get('src_host', False) == '127.0.0.1' ) or data['dst_port'] in [ '80', '443', '22' ]:
not sure if this i the right way but maybe this helps somebody (to build it the right way)
@hagen-bauer-regioit awesome. im gonna give this a try tomorrow.
Having issues with portscan detection sending alerts for traffic going to port 7680 (WUDO). Would like to have the module ignore any traffic coming from said port. Any suggestions? Thanks