Service Information
The Legacy Search dataset features numerous service-related fields. They can be used to identify the applications and content present on hosts and virtual hosts. The following list is a short preview of the top-level, service-related fields present in the Legacy Search dataset. In addition to top-level service fields, there are hundreds of service fields organized by the specific service name (such as services.ftp, services.dns, services.ssh, services.tls, services.http, and so on). Example queries targeting service fields are provided below the table.
The data definitions table in the Legacy Search web app provides a complete list of service fields.
Example fields
| Field | Type |
|---|---|
services | nested |
services.banner | text |
services.banner_hashes | text |
services.banner_hex | text |
services.discovery_method | text |
services.extended_service_name | text |
services.parsed | object |
services.perspective_id | text |
services.port | integer |
services.service_name | text |
services.source_ip | ip |
services.transport_protocol | text |
services.truncated | boolean |
Example queries
| Query description | Legacy Search query | Run query in Legacy Search |
|---|---|---|
| Hosts emitting GNSS payloads | services.banner: "$GPRMC" | Try it |
| WinAQMS Environmental Monitor | services.banner: "WinAQMS Data Server" and services.truncated: false | Try it |
| Honeypot Hosts | services.truncated: true | Try it |
| Return hosts that are running an HTTP service on port 8888 | services: (port: 8888 and service_name: HTTP) | Try it |
| Compromised MikroTik Routers | services.service_name: MIKROTIK_BW and "HACKED" | Try it |
| Services on port 53 that are not DNS | services: (port: 53 and not service_name: DNS) and services.truncated: false | Try it |
| Return hosts with port 443 open (with any service type) and an HTTP service (on any port). Note that search criteria applies to a host or certificate as a whole, unless specified. This query returns hosts with any service on port 443 and HTTP on any port. | services.port: 443 and services.service_name: HTTP | Try it |
| Search for hosts that have any of the following ports open: 22, 23, 24, 25 | services.port: {22, 23, 24, 25} | Try it |
| Find hosts running SSH on a non-standard port, for example, neither 22 nor 2222 | services: (service_name: SSH and not port: {22, 2222}) | Try it |
| Network devices with exposed login pages | services: (labels:{network.device, login-page}) | Try it |
| Search for hosts that have at least one non-HTTP service | services: (not service_name: HTTP) | Try it |
| Find hosts running a specific service | services.service_name: SSH | Try it |
| Search for hosts that have no HTTP services | not services.service_name: HTTP | Try it |
| Search for hosts with services that Censys Scanners last observed within NTT and TELIA ISPs | services.perspective_id: "PERSPECTIVE_NTT" and services.perspective_id: "PERSPECTIVE_TELIA" | Try it |
| Find ATG servers | services.service_name: ATG | Try it |
| Find Cobalt Strike servers | services.service_name: COBALT_STRIKE | Try it |
| Find hosts running software from a specific country | location.country: Russia and services.software.product: gSOAP | Try it |
| Find hosts with a specific port open | services.port: 22 | Try it |
| Services listening on Port 22 that are not SSH | same_service(services.port: 22 and not services.service_name: {SSH} and not services.banner: {"Connection refused", "SSH-", "Exceeded MaxStartups", "Too many users", "Connection closed by server"}) and services.truncated: false | Try it |
| Find hosts with a specific service on a specific port | service: (port: 22 and service_name: SSH) | Try it |
| Busybox Shells | same_service(services.banner: "Enter 'help' for a list of built-in commands" and services.service_name: TELNET) and services.truncated: false) | Try it |
| Counter-Strike: Global Offensive | same_service(banner: "Counter-Strike: Global Offensive Server" and service_name: VALVE)" | Try it |
Updated 20 days ago