Censys Help: Query Syntax

By default, Censys performs full-text searches. For example, searching for Dell will find any hosts where the word Dell appears in the record—it won't limit the search to Dell manufactured devices. However, this is possible by querying specific fields using the follow syntax:

Specifying Fields

Censys records are structured and allow querying specific fields. For example, you can search for all hosts with a specific HTTP status code with the following query: 80.http.get.status_code: 200. You can view a list of defined fields under the Data Definitions tab or by looking at the details of a host. For example, here are the fields for the Censys web server.

Boolean Logic

You can compose multiple statements using the terms and, or, not, and parentheses. For example, ("Schneider Electric" or Dell) and 23.20.0.0/14. By default, all included terms are optional (i.e., executed as an or statement).

Networks, Host Names, and Protocols

You can search for IP addresses using CIDR notation (e.g., ip:23.20.0.0/14) or by specifying a range of addresses: ip:[23.20.0.0 TO 23.20.5.34]. You can search for hosts that serve a particular protocol by searching the protocols field, e.g., protocols: "102/s7".

Inline DNS queries are possible with the following syntax: a:facebook.com and mx:gmail.com.

Ranges

You can search for ranges of numbers using [ and ] for inclusive ranges and { and } for exclusive ranges. For example, 80.http.get.status_code:[200 TO 300]. Dates should be formatted using the following syntax: [2012-01-01 TO 2012-12-31]. One sided limits can also be specified: [2012-01-01 TO *]. Warning! The TO operator must be capitalized.

Wildcards and Regular Expressions

By default, Censys searches for complete words. In other words, the search Del will not return records that contain the word Dell. Wildcard searches can be run on individual terms, using ? to replace a single character, and * to replace zero or more characters. For example, if you want to search for words that start with Del, you would search for Del*.

You can also search using regular expressions, e.g., metadata.manufacturer:/De[ll]/. The full regex syntax is available here.

Boosting

The boost operator (^) can be used to make one term more relevant than another. For example, metadata.manufacturer: Dell^2 OR "Schneider Electric" places more preference on the Dell keyword.

Reserved Characters

The following characters must be escaped with a backslash: + - = & || > < ! ( ) { } [ ] ^ " ~ * ? : \ /.