Quote from: wirehire on November 06, 2025, 12:59:59 PMyou right, nothing upload are very good, from this sign. But the plugin matched the list and the blocklist take from the blocklist the ip. So when the pluing can see that dangerous ip take to connect and block ist, it can also see and write to the plugin log, which port.
for zero days often, the check in wave specific ports. So when you see that many ips scan for a specific port in a wave, you can take it different.
Where the question to the qfeed maintainer. Can your plugin without upload to your instances, see which port the attacker probt to be connect ?
patch --directory=/ -p0 < radiusv3.patch