Translate Queries to Search 2.0
Censys Search 2.0 better reflects the real state of the Internet, but how do you update your old queries?

Browse these "before and after" examples that showcase differences between the legacy Search and Search 2.0. Observe the differences in data fields, query syntax, and results and then apply the changes to your favorite queries!
Service Searches
Services on hosts are identified by a service name and are reachable on a port. You will recognize most names as traditional L7 protocols such as HTTP
, although not all service names are (e.g., ELASTICSEARCH
).
Search for Hosts Running a Service
These queries return hosts running an SSH service.
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
Service data is irrespective of port number in Search 2.0: notice how the query makes no reference to port 22 as the legacy search did. The greater number of results also indicates that the additional SSH services returned in 2.0 are running on ports other than the standard (i.e., 22).
Search for a Service With an Attribute
These queries return hosts with a web page title containing the word "Dashboard."
(Words such as "Dash" and "Dashboards" are not returned. Whitespace-delimited phrases such as "Dashboard Panel" are returned.)
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
The legacy search product found HTTP services on five ports, whereas Search 2.0 can find HTTP services on any port.
Search for Services With an Exact Attribute
These queries return hosts with an HTTP page title that is exactly "Dashboard."
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
In Search 1.0, exact matches could be sought in fields that had an accompanying field that ended in .raw
, but not every field in the schema had an equivalent .raw
.
In Search 2.0, searching for an exact match for a phrase is as simple as using the exact match operator (=
).
Search for Services With Some Matching Attributes
These queries return hosts running any of the Remote Access Protocols that Censys can detect.
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
Notice two things in the 2.0 query:
-
There’s no
OR
.Search 2.0 accepts boolean operators like
or
, but it also has a set operator{}
, which more succinctly denotes what would otherwise be a long (but perfectly valid)or
statement. -
There’s an additional specification in the 2.0 query to only return hosts that do not have a truncated service.
This is to weed out a class of hosts that Censys calls "superhosts" such as honeypots and firewalled hosts, which often present hundreds of open ports without any real services. When Censys finds these superhosts, it truncates the data about each of the host’s (pseudo)services.
Software Searches
Search for Services Running a Software Product
These queries return hosts with a service using any version of Microsoft Exchange Server.
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
While Search 2.0 has a text field called services.software.product
that can be used to search for "Exchange Server," Censys recommends using the newly supported CPE-formatted URIs to search for software.
CPE URIs yield more results because they are standardized, whereas a field like product
may contain variations that would not be returned for a text search.
For example, searching for "Exchange Server" in the product
field would not return hosts whose product
was "Exchange 2003 Server" or "Exchange 2007 Server." (Show me what gets missed using the product
field)
TLS-Related Searches
Many protocols use TLS, so Search 2.0 presents TLS information in a separate field at the same layer as other top-level service fields to allow searching for TLS properties across any service.
Note the resulting simplification of search queries in the following examples.
Search for Hosts Using a TLS Version
These queries return hosts running a service that uses an out-of-date TLS version (1.0).
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
Note the difference in TLS version orthography between the two Search products: (TLSv1.0
vs. TLSv1_0
)
Tip
|
If you’re not getting results in Search 2.0 and you think it might be because of a difference in the orthography of field values, try running a report on the field you’re querying to see how the values look. |
Search for Hosts Presenting a Certificate With an Attribute
These queries return hosts presenting a self-signed certificate.
Search Product |
Search Query |
No. of Results |
1.0 |
|
|
2.0 |
|
Since TLS data is located at the top level of the service object, no protocol specification is necessary in the Search 2.0 query. Any service that has TLS data will be searched and returned if the self-signed attribute is true.
Comments
0 comments
Article is closed for comments.