ivre
No documentation re: gh0stRAT emulation
I'm experimenting with using masscanned, and we've had an abuse report come through as it was detected that we are "associated with an ongoing malware attack"
It would probably be useful to add a warning that this false positive might be detected (and potentially an option to turn this off?) so that this doesn't mistakenly have people responding as if it's an actual security incident. (Always good to practice these things, I guess?!)
The goal of Masscanned is to answer to requests "as deeply as we can". The actors that send abuse reports based on their scan results (to be clear: they scan your machine, then send you an abuse because of what you answered) should be silently ignored. But to answer your request:
- I don't see where we could / should display a warning
- we could provide an option to selectively enable or disable each protocol. If you feel like providing a PR for that, we'd be glad to review & accept it.
I don't see where we could / should display a warning
Just a note in the readme or something saying that it emulates it would be useful, I had to dig into the code to realise that it did (and that it might cause a report)
Our cloud provider contacted us re: a potential issue because it thought we'd been infected, and i didn't realise straight away that it was actually masscanned, and started to look into it as if it was gh0stRAT :) (on my day off, too!)
I'll need to learn a bit more rust before i can provide that PR. I'm just about getting to grips with reading it :)
Just a note in the readme or something saying that it emulates it would be useful, I had to dig into the code to realise that it did (and that it might cause a report)
Sounds sensible. Feel free to propose a PR to add something in the README.
BTW, sorry about your day off!