Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

sfp_portscan_tcp: Correlate open dev ports #1827

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

sfp_portscan_tcp: Correlate open dev ports #1827

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
3c39f2f
Add a common dev port to sfp_portscan_tcp.py defaults
namtacs Dec 9, 2023
9d889e6
Add the open dev port correlation
namtacs Dec 9, 2023
0c289ac
Update README.md with the new correlation
namtacs Dec 9, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ SpiderFoot has an embedded web-server for providing a clean and intuitive web-ba
- Web based UI or CLI
- Over 200 modules (see below)
- Python 3.7+
- YAML-configurable [correlation engine](/correlations/README.md) with [37 pre-defined rules](/correlations)
- YAML-configurable [correlation engine](/correlations/README.md) with [38 pre-defined rules](/correlations)
- CSV/JSON/GEXF export
- API key export/import
- SQLite back-end for custom querying
Expand Down Expand Up @@ -121,7 +121,7 @@ Whether you're a contributor, user or just curious about SpiderFoot and OSINT in

We have a comprehensive write-up and reference of the correlation rule-set introduced in SpiderFoot 4.0 [here](/correlations/README.md).

Also take a look at the [template.yaml](/correlations/template.yaml) file for a walk through. The existing [37 rules](/correlations) are also quite readable and good as starting points for additional rules.
Also take a look at the [template.yaml](/correlations/template.yaml) file for a walk through. The existing [38 rules](/correlations) are also quite readable and good as starting points for additional rules.

### MODULES / INTEGRATIONS

Expand Down
25 changes: 25 additions & 0 deletions correlations/dev_port.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
id: dev_port
version: 1
meta:
name: A common port appearing to be a test or development service was found
description: >
A host with an open tcp
port that is often used for development purposes
was found. This may indicate a system that is exposed
over the Internet unintentionally, and/or may be less secure
than other systems.
risk: MEDIUM
collections:
- collect:
- method: exact
field: type
value: TCP_PORT_OPEN
- method: regex
field: data
value:
- .*:8000$
- .*:8080$
- .*:8888$
aggregation:
field: source.data
headline: "Development or internal service found: {source.data}"
2 changes: 1 addition & 1 deletion modules/sfp_portscan_tcp.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ class sfp_portscan_tcp(SpiderFootPlugin):
'389', '443', '445', '465', '512', '513', '514', '515', '3306',
'5432', '1521', '2638', '1433', '3389', '5900', '5901', '5902',
'5903', '5631', '631', '636',
'990', '992', '993', '995', '1080', '8080', '8888', '9000'],
'990', '992', '993', '995', '1080', '8000', '8080', '8888', '9000'],
'timeout': 15,
'maxthreads': 10,
'randomize': True,
Expand Down