Portscan Ignore Certain Ports

[smooshkid]

Having issues with portscan detection sending alerts for traffic going to port 7680 (WUDO). Would like to have the module ignore any traffic coming from said port. Any suggestions? Thanks

[leviustinov]

I would also like to see this feature. I've changed SSH to a different port and now getting alerts when connecting to ssh.

[jayjb]

Hi @smooshkid and @leviustinov,

Its an interesting idea for sure. So you would like the opencanary's portscan service to only listen for scans on certain ports and ignore others? Ill bring that idea up and see what we can do.

[smooshkid]

Opencanary is seeing Windows Update Delivery Optimization as being a scan ran on the canary host. This service uses port 7680. So being able to ignore traffic using said port would be great.

[smooshkid]

@jayjb

[leviustinov]

Opencanary is seeing Windows Update Delivery Optimization as being a scan ran on the canary host. This service uses port 7680. So being able to ignore traffic using said port would be great.

Another use case is Anydesk - by default it scans locally (feature called Discovery) on port 7070.

[hagen-bauer-regioit]

I would also like to add the idea of adding a "port ignore list" for the portscan service. From my very low level understanding of the python code it looks to me that we would need to change the logging.

[hagen-bauer-regioit]

I am currently using this hack in portscan.py which does seem to do the job

if (self.ignore_localhost and data.get('src_host', False) == '127.0.0.1' ) or data['dst_port'] in [ '80', '443', '22' ]:

not sure if this i the right way but maybe this helps somebody (to build it the right way)

[smooshkid]

@hagen-bauer-regioit awesome. im gonna give this a try tomorrow.

[jayjb]

Hey folks.

This functionality has been added.

You can now specify which ports to ignore in the config using the following key:

"portscan.ignore_ports": [ ],