feat: release v2.4.0 with native SYN scan and detailed snort benchmark

NexusFireMan · NexusFireMan · commit ef641989ca72 · 2026-03-09T14:00:33.000+01:00
diff --git a/.github/.release-please-manifest.json b/.github/.release-please-manifest.json
@@ -1,3 +1,3 @@
 {
-  ".": "2.3.1"
+  ".": "2.4.0"
 }
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file.
 
+## [2.4.0] - 2026-03-09
+
+### Added
+- **Selectable scan engine**: new `--scan-type connect|syn` flag.
+- **Native SYN discovery mode**: `syn` mode uses GoMap raw TCP SYN probes to discover open ports before optional service detection.
+
+### Changed
+- **Scan headers**: text output now indicates which scan type is being used.
+- **README benchmark section**: expanded with detailed CONNECT vs SYN vs GHOST lab measurements against Snort.
+
+### Fixed
+- **Resilience**: automatic fallback to `connect` scan when SYN requirements are not met (unsupported OS or insufficient privileges).
+- **Native SYN response parsing**: improved packet decoding and batched response collection to reduce false negatives under heavier scans.
+
 ## [2.3.1] - 2026-02-25
 
 ### Fixed
diff --git a/README.md b/README.md
@@ -4,7 +4,7 @@ A fast TCP port scanner written in Go, with optional service/version detection,
 
 ## Current scope
 
-- Fast concurrent TCP connect scanning.
+- Fast concurrent TCP scanning with selectable engine (`connect` or `syn`).
 - Optional service and version detection (`-s`).
 - Single host, hostname, comma-separated targets, and CIDR ranges.
 - CIDR active-host discovery by TCP probes (no ICMP ping).
@@ -51,6 +51,9 @@ go install github.com/NexusFireMan/gomap/v2@latest
 # Default scan (top common ports)
 ./gomap 10.0.11.6
 
+# Native SYN scan discovery (requires root/CAP_NET_RAW)
+./gomap --scan-type syn 10.0.11.6
+
 # Service/version detection on selected ports
 ./gomap -s -p 21,22,80,135,139,445,5985 10.0.11.6
 
@@ -78,6 +81,7 @@ Usage:
 
 Main options:
   -p                ports to scan (example: 80,443 or 1-1024 or - for all)
+  --scan-type       connect|syn (default: connect)
   --top, --top-ports scan top N ports from curated top-1000 list
   --exclude-ports   remove ports from final scan set
   -s                enable service/version detection
@@ -128,40 +132,58 @@ When `-s` is enabled, gomap combines port-based hints and protocol/banner parsin
 - SSH/FTP/PostgreSQL/Redis/MySQL and other protocol banners.
 - SMB-oriented identification for `microsoft-ds` targets.
 
-Important: banner-based detection is heuristic. Always validate critical findings with a second tool (`nmap -sV`, native service queries, or manual protocol checks).
+Important: banner-based detection is heuristic. Always validate critical findings with a second tool.
+
+`--scan-type syn` notes:
+- Uses GoMap native raw TCP SYN probes for port discovery, then optional service detection on open ports.
+- If SYN scan cannot run (insufficient privileges or unsupported OS), GoMap falls back to `connect` scan automatically.
+- For noisy links, tune reliability explicitly with `--retries` and `--rate`.
 
 Note: `--random-ip` randomizes HTTP headers only; it does not spoof the real TCP source IP.
 
 ## Stealth benchmark (lab)
 
-Benchmark executed on **February 25, 2026** with:
+Benchmark executed on **March 9, 2026** with:
 
 - Scanner host: `10.0.11.11`
-- Targets: `10.0.11.0/24` (Metasploitable3 Windows `10.0.11.6`, Linux `10.0.11.9`, Snort `10.0.11.8`)
+- Targets: `10.0.11.0/24` (Windows `10.0.11.6`, Linux `10.0.11.9`, Snort `10.0.11.8`)
 - IDS: Snort `2.9.20` (`10.0.11.8`)
-- Ports: `22,80,139,445,3389,5985`
+- Port set: `22,80,139,445,3389,5985`
+- Log analyzed: `/var/log/snort/snort.alert.fast`
+- Attribution filter: source `10.0.11.11`
 
 Commands compared:
 
 ```bash
-# Normal
+# CONNECT normal
 gomap -s -p 22,80,139,445,3389,5985 10.0.11.0/24
 
-# Ghost ultra-stealth
+# CONNECT ghost
 gomap -g -s --random-agent --random-ip -p 22,80,139,445,3389,5985 10.0.11.0/24
+
+# SYN normal (native, requires root/CAP_NET_RAW)
+sudo gomap --scan-type syn -s -p 22,80,139,445,3389,5985 10.0.11.0/24
+
+# SYN ghost
+sudo gomap -g -s --scan-type syn --random-agent --random-ip -p 22,80,139,445,3389,5985 10.0.11.0/24
 ```
 
-Observed results (Snort `snort.alert.fast`, TCP alerts with source `10.0.11.11`):
+Observed results (single run per profile):
 
-| Mode | New alerts (all) | New TCP alerts from scanner | Scan duration |
-|------|-------------------|-----------------------------|---------------|
-| Normal | 104 | 89 | ~6.2s |
-| Ghost ultra-stealth | 41 | 20 | ~11.5s |
+| Profile | Duration | Hosts scanned | Open ports found | New alerts (all) | New alerts from scanner IP | New TCP alerts from scanner IP |
+|---|---:|---:|---:|---:|---:|---:|
+| CONNECT normal | 6.801s | 4 | 10 | 97 | 97 | 96 |
+| CONNECT ghost | 10.893s | 3 | 9 | 64 | 64 | 62 |
+| SYN normal | 9.26s | 4 | 10 | 104 | 104 | 103 |
+| SYN ghost | 11.793s | 3 | 9 | 48 | 48 | 47 |
 
-Takeaway:
+Takeaways:
 
-- Ghost ultra-stealth reduced scanner-attributed TCP alerts by about **77.5%** (`89 -> 20`).
-- Tradeoff is slower execution and less aggressive service/version fingerprinting.
+- `ghost` mode reduced scanner-attributed TCP alerts in both engines:
+  - CONNECT: `96 -> 62` (about `-35.4%`)
+  - SYN: `103 -> 47` (about `-54.4%`)
+- In this Snort rule set, SYN generated more alerts than CONNECT for the same target/ports.
+- Ghost CIDR discovery is intentionally conservative and may scan fewer active hosts (`3` vs `4` in this run).
 
 ## Output formats
 
diff --git a/cmd/gomap/cli.go b/cmd/gomap/cli.go
@@ -13,6 +13,7 @@ import (
 // CLIOptions holds all parsed/validated CLI arguments.
 type CLIOptions struct {
 	PortsFlag       string
+	ScanType        string
 	ExcludePorts    string
 	ServiceFlag     bool
 	GhostFlag       bool
@@ -51,6 +52,7 @@ func ParseCLIOptions(args []string) (CLIOptions, error) {
 	fs := flag.NewFlagSet("gomap", flag.ContinueOnError)
 	fs.SetOutput(os.Stderr)
 	fs.StringVar(&opts.PortsFlag, "p", "", "ports to scan (e.g., 80,443 or 1-1024 or - for all ports)")
+	fs.StringVar(&opts.ScanType, "scan-type", "connect", "scan technique: connect|syn")
 	fs.StringVar(&opts.ExcludePorts, "exclude-ports", "", "exclude ports (e.g., 80,443 or 1-1024)")
 	fs.BoolVar(&opts.ServiceFlag, "s", false, "detect services and versions")
 	fs.BoolVar(&opts.GhostFlag, "g", false, "ghost mode - slower, stealthy scan to evade IDS/Firewall detection")
@@ -138,6 +140,10 @@ func normalizeOptions(opts CLIOptions) (CLIOptions, error) {
 	if opts.TopPortsAlias > 0 {
 		opts.TopPorts = opts.TopPortsAlias
 	}
+	opts.ScanType = strings.ToLower(strings.TrimSpace(opts.ScanType))
+	if opts.ScanType != "connect" && opts.ScanType != "syn" {
+		return opts, errors.New("invalid --scan-type. Allowed: connect, syn")
+	}
 	if opts.TopPorts < 0 {
 		return opts, errors.New("--top must be a positive number")
 	}
@@ -214,6 +220,7 @@ func printHelp(w *os.File) {
 
 %sTarget & Scan:%s
   -p <ports>                 ports to scan (80,443 | 1-1024 | -)
+  --scan-type <type>         connect|syn (syn requires root/CAP_NET_RAW)
   --top <N>                  scan top N ports from curated top-1000 list
   --top-ports <N>            alias of --top
   --exclude-ports <ports>    remove ports from final scan set
@@ -250,6 +257,7 @@ func printHelp(w *os.File) {
 
 %sExamples:%s
   gomap 10.0.11.6
+  gomap --scan-type syn 10.0.11.6
   gomap -s -p 21,22,80,445 10.0.11.9
   gomap -s --top-ports 300 10.0.11.0/24
   gomap -g -s --random-agent --random-ip 10.0.11.0/24
diff --git a/cmd/gomap/cli_test.go b/cmd/gomap/cli_test.go
@@ -64,3 +64,20 @@ func TestParseCLIOptionsHelpFlag(t *testing.T) {
 		t.Fatalf("expected errHelp, got: %v", err)
 	}
 }
+
+func TestParseCLIOptionsScanType(t *testing.T) {
+	opts, err := ParseCLIOptions([]string{"--scan-type", "syn", "10.0.11.6"})
+	if err != nil {
+		t.Fatalf("unexpected error: %v", err)
+	}
+	if opts.ScanType != "syn" {
+		t.Fatalf("expected scan type syn, got %q", opts.ScanType)
+	}
+}
+
+func TestParseCLIOptionsScanTypeInvalid(t *testing.T) {
+	_, err := ParseCLIOptions([]string{"--scan-type", "udp", "10.0.11.6"})
+	if err == nil {
+		t.Fatal("expected error for invalid scan type")
+	}
+}
diff --git a/cmd/gomap/main.go b/cmd/gomap/main.go
@@ -47,6 +47,7 @@ func Run() {
 	req := app.ScanRequest{
 		Target:          opts.Host,
 		PortsFlag:       opts.PortsFlag,
+		ScanType:        opts.ScanType,
 		ExcludePorts:    opts.ExcludePorts,
 		TopPorts:        opts.TopPorts,
 		Rate:            opts.Rate,
diff --git a/cmd/gomap/version.go b/cmd/gomap/version.go
@@ -9,7 +9,7 @@ import (
 
 var (
 	// Version is injected at build time with -ldflags.
-	Version = "2.3.1"
+	Version = "2.4.0"
 	// Commit is injected at build time with -ldflags.
 	Commit = "dev"
 	// Date is injected at build time with -ldflags.
diff --git a/pkg/app/scan.go b/pkg/app/scan.go
@@ -15,6 +15,7 @@ import (
 type ScanRequest struct {
 	Target          string
 	PortsFlag       string
+	ScanType        string
 	ExcludePorts    string
 	TopPorts        int
 	Rate            int
@@ -38,6 +39,10 @@ type ScanRequest struct {
 // ExecuteScan runs the complete scan workflow: target expansion, host discovery, scan, and rendering.
 func ExecuteScan(req ScanRequest) error {
 	machineOutput := req.Format != "text"
+	if req.ScanType == "" {
+		req.ScanType = "connect"
+	}
+	scanLabel := strings.ToUpper(req.ScanType)
 
 	destWriter := output.DefaultWriter()
 	var outFile *os.File
@@ -142,16 +147,16 @@ func ExecuteScan(req ScanRequest) error {
 	if !machineOutput {
 		if len(targets) == 1 {
 			if req.GhostMode {
-				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s ports) - %s (stealthy)", output.Host(targets[0]), output.Count(len(portsToScan)), output.Warning("Ghost mode"))))
+				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s ports, %s scan) - %s (stealthy)", output.Host(targets[0]), output.Count(len(portsToScan)), output.Highlight(scanLabel), output.Warning("Ghost mode"))))
 			} else {
-				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s ports)", output.Host(targets[0]), output.Count(len(portsToScan)))))
+				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s ports, %s scan)", output.Host(targets[0]), output.Count(len(portsToScan)), output.Highlight(scanLabel))))
 			}
 		} else {
 			targetRange, _, _ := scanner.FormatCIDRInfo(req.Target)
 			if req.GhostMode {
-				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s active hosts, %s ports) - %s (stealthy)", output.Highlight(targetRange), output.Count(len(targets)), output.Count(len(portsToScan)), output.Warning("Ghost mode"))))
+				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s active hosts, %s ports, %s scan) - %s (stealthy)", output.Highlight(targetRange), output.Count(len(targets)), output.Count(len(portsToScan)), output.Highlight(scanLabel), output.Warning("Ghost mode"))))
 			} else {
-				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s active hosts, %s ports)", output.Highlight(targetRange), output.Count(len(targets)), output.Count(len(portsToScan)))))
+				fmt.Printf("%s\n\n", output.Info(fmt.Sprintf("🎯 Scanning %s (%s active hosts, %s ports, %s scan)", output.Highlight(targetRange), output.Count(len(targets)), output.Count(len(portsToScan)), output.Highlight(scanLabel))))
 			}
 		}
 	}
@@ -186,9 +191,26 @@ func ExecuteScan(req ScanRequest) error {
 			RandomIP:        req.RandomIP,
 			TargetCIDR:      cidrForHeaders,
 		})
-		openPorts := s.Scan(portsToScan, req.ServiceDetect)
-		if len(openPorts) > 0 {
-			allResults[targetIP] = openPorts
+		var openResults []scanner.ScanResult
+		if req.ScanType == "syn" {
+			synOpenPorts, synErr := scanner.DiscoverOpenPortsSYN(targetIP, portsToScan, scanner.SYNConfig{
+				Rate:      req.Rate,
+				Retries:   req.Retries,
+				GhostMode: req.GhostMode,
+			})
+			if synErr != nil {
+				if !machineOutput {
+					fmt.Printf("%s\n", output.StatusWarn(fmt.Sprintf("SYN scan unavailable on %s (%v). Falling back to connect scan.", targetIP, synErr)))
+				}
+				openResults = s.Scan(portsToScan, req.ServiceDetect)
+			} else {
+				openResults = scanner.BuildResultsFromKnownOpenPorts(s, synOpenPorts, req.ServiceDetect)
+			}
+		} else {
+			openResults = s.Scan(portsToScan, req.ServiceDetect)
+		}
+		if len(openResults) > 0 {
+			allResults[targetIP] = openResults
 		}
 	}
 	scanDuration := time.Since(scanStart)
diff --git a/pkg/scanner/syn.go b/pkg/scanner/syn.go
diff --git a/pkg/scanner/syn_test.go b/pkg/scanner/syn_test.go

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,3 @@`
`1`	`1`	`{`
`2`		`- ".": "2.3.1"`
	`2`	`+ ".": "2.4.0"`
`3`	`3`	`}`