Support for website scans on odd ports

If you have a host with a website running on a non-standard port (so not 80 or 443) our scanner nodes will now automatically add it to the websites index and run website scans on it. The big advantage here is that all the security checks and software detection rules for normal websites will now also be run on the non-standard port.

The open ports overview on the host page will show a link to the website scan results. Please note that the new code has just gone live and the new software detections will not yet show up in this week's weekly report. They will appear next week.

If you want, you can add a website on a non standard port to assets yourself. Just put the port number behind it in the add assets window like this 176.58.122.230:8008

New and updates software detections

Several software detections where expanded and updated, and some new ones added. The biggest improvement is in detection software running on odd ports.

There's also quite a performance update in the scanners, but you'll only notice that if you use the API to do near real-time scans.

Defacement detection

This week's update is all about a new feature: defacement detection. The ingredients have been present for a long time already, but the feature has never been developed enough to hit production before.

There are three levels of detection. The first are major page changes on a website. This will trigger an event (query: index=events eid=1679) prompting you to check if these are legitimate changes.

The second is major changes combined with suspicious artefacts. This will result in a problem event (query: index=events eid=1680) appearing on your timeline indicating a likely defacement.

The last one is for the case where no major changes detected, but suspicious artefacts are found (query: index=events eid=1681). It will result in a warning (orange) event

If you have any false positives, please contact me. Specific cases will help us to make better detections.