[Feature Request] Port Scan Detection Capability (similar to Portmaster implementation PR)

[NRGLine4Sec]

Description

Add a port scan detection capability to OpenSnitch in order to detect suspicious inbound behaviors (e.g. multiple connection attempts across ports from a single source).

Port scanning is a very common reconnaissance technique and often an early indicator of malicious activity. Having this visibility directly in OpenSnitch would provide a useful security signal without requiring additional tooling.

Reference

A similar feature is currently being discussed/implemented in Portmaster:

• Feature/portscan detection · Pull Request #128 · safing/portmaster

This PR may provide useful ideas regarding detection heuristics and implementation approach.

Rationale

Today, detecting port scans on Linux often requires external tools such as:

• psad: psad - Intrusion Detection with iptables, iptables Log Analysis, iptables Policy Analysis
• PortSentry: Sentry Tools download | SourceForge.net
• scanlogd: openwall/scanlogd: TCP port scan detection tool

These tools are:

• relatively old or minimally maintained
• not integrated with modern endpoint monitoring workflows

Integrating this capability into OpenSnitch would:

• reduce dependency on legacy tools
• centralize network visibility (outbound + suspicious inbound activity)
• improve usability for both desktop and security-focused use cases

Proposed Scope

• Detect multiple connection attempts to different ports within a configurable time window
• Track source IP and apply configurable thresholds
• Support TCP (UDP optional)
• Generate alerts in the UI with relevant context (source IP, ports, timestamp)
• Optional logging for further analysis

[Goshka49]

Hi! This feature would be really useful for me as well