From c86684c8375e8ebf81543469f74a04825f9555cf Mon Sep 17 00:00:00 2001
From: Johnathan <39648915+TrebledJ@users.noreply.github.com>
Date: Tue, 5 May 2026 00:04:48 +0800
Subject: [PATCH] feat: avoid scanning cloudflare hosts

Hosts proxied by cloudflare are typically websites, where ports of interest are 80 and 443. Other ports such as 8080, 8880, 2052, 2053, etc. are ports exposed by [cloudflare](https://developers.cloudflare.com/fundamentals/reference/network-ports/) which are generally uninteresting and host the same content, and thus could be considered FP.
---
 bbot/modules/portscan.py | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/bbot/modules/portscan.py b/bbot/modules/portscan.py
index c4897d507b..f4c3ef9c5b 100644
--- a/bbot/modules/portscan.py
+++ b/bbot/modules/portscan.py
@@ -92,6 +92,15 @@ async def setup(self):
             self.ipv6_support = False
         return True
 
+    async def filter_event(self, event):
+        if event.tags and any('cloudflare' in t for t in event.tags):
+            self.info(f"Skipping portscan due to Cloudflare asset {event} with tags {event.tags} and resolved hosts {event.resolved_hosts}")
+            host = event.resolved_hosts[0] if event.resolved_hosts else event.host
+            self.emit_open_port(host, 80, event) # emit HTTP
+            self.emit_open_port(host, 443, event) # emit HTTPS
+            return False, f"Skipping portscan due to Cloudflare asset: {event}"
+        return True
+
     async def handle_batch(self, *events):
         # ping scan
         if self.ping_scan: