The current spec defines that closed ports should not be included in the JSON. For the purposes of OSINT and fingerprinting, a closed port is as useful to know about as an open port. This can allow you to rescan a host at a later time and compare the previous scan with the latest to see which ports have changed/opened.

For example, if you have a Host and it’s running Nginx on port 80, port 25 is closed, port 22 is open running OpenSSHD — then you scan it again a month later and port 25 is now open, port 80 and port 22 are closed, it’s very possible that the Host isn’t being operated by the same owner or it is no longer being used for the same purpose. This is valuable information to know when trying to assess what a Host is (C2 server, compromised host, etc) and can help in aging out indicators from you feed/database.

Expected Behavior

Allow for Ports to contain the standard nmap-style designations of: open, closed, filtered, or unfiltered.

Current Behavior

Schema only allows for open ports to be added.

Possible Solution

Steps to Reproduce

Context (Environment)

Detailed Description

Possible Implementation