Ports4u is a Golang-based application built for malware network traffic analysis, replacing something like InetSim. It detects attempted connections to ports and creates a quick listener on that port. It takes advantage of the multiple attempts TCP will take if it doesn't get back a response from a SYN packet. Ports4u utilizes iptables
to block the RST packets that would otherwise notify of a closed port.
Ports4u also supports forwarding traffic based on the data it receives to real services it runs. For example, if it gets HTTP on another port, it forwards that traffic to the HTTP server on port 80.
Ports4u is currently oriented to be used in a Docker container.
Assumes you have Docker installed.
Run:
make build
Ports4u currently runs the following services:
- HTTP on port 80
- TLS on port 443
All logs are available in the logs
subdirectory. Ports4u will create it on startup if not already present.
Contains the contents sent to Ports4u, with the remote IP and port in the filename.
Data recieved is prepended with
<<<<<<<< <REMOTE_IP> ----------------------------
While data sent is prepended with:
>>>>>>>> <REMOTE_IP> ----------------------------
Contains a newline separated list of IPs seen being connected to.
Contains a newline separated list of domains been requested.
Contains a list of connections seen, the format is:
tcp or udp|<IP>|<PORT>
- More services to forward to