Portscan
Portscanning is considered one of the first reconnaissance tools used by hackers. It is a sign someone is trying to figure out what exactly is on your machine. This is the first step of anyone from debutant to experienced hackers and can tell them what ports are open, the protocols running, the operating system, etc. Then they are able to find which vulnerabilities would work on your devices.
This plugin watches for NMAPs being run on your devices
This includes SYN, FIN, NULL, XMAS, and OS scans. These scans will send packets to your ports and based on the responses they can learn if it's open and what protocol is running
- SYN: This scan starts the TCP handshake, but doesn't complete it
- FIN: Only the FIN flag is set (this normally is only used to mark the end of a TCP connection)
- NULL: No TCP flags are set
- XMAS: FIN, URG, and PSH flags are set
- OS Scan: slightly more complicated pattern to gather info on the devices response to different TCP options, the TTLs, and responses to malformed packets. nmap uses this to determine the operating system running.
How does this work with Trapster?
Simply activate this plugin and Trapster will use NFTable rules to log packets matching NMAP patterns. This won't affect the traffic reaching Trapster at all but will simply record the IPs sending scans. NMAPs will be recorded and sent to your Dashboard along with the IP address they are coming from and a list of ports that were scanned.