ShadowTrackr

Log in >
RSS feed

Certificate alerts

14 February 2021
As announced last week, Traps will be migrated to Alerts. This week, the first step in the migration has gone live: certificate alerts. Instead of having your mailbox spammed with all certificate related alerts, you can now set your own preferences. We’ve preconfigured the important ones for you to make things easy. But you can add extra alerts for the events that are important to you.

The possible alerts are:
  • New certificate found
  • New certificate found, with warnings
  • New certificate found, with problems
  • Certificate renewed
  • Certificate renewed, with warnings
  • Certificate renewed, with problems
  • Detected changes on TLS server
  • Detected changes on TLS server, with warnings
  • Detected changes on TLS server, with problems
  • Certificate expired
  • Certificate expires next week
  • Certificate expires in two weeks
  • Certificate expires in three weeks
  • Certificate issuer changed
  • Certificate CAA settings changed

You can also specify tags for each alert. So, if you only want to receive alerts for specific urls, add tags to those urls first and then create an alert with the same tags.

MMH3 hashes, more tags and better performance

07 February 2021
Lots of small changes this week. I got some bugs fixed and improved the performance of the GUI. Most notably in reports and search. You’ll notice when you try a full text search :-)

After JARM hashes, de ShadowTrackr now also tracks the MMH3 hashes for favicons. This is useful to check for similarties with other websites and against phishy urls, but also to pivot to other tools like Shodan. While ShadowTrackr looks in-depth at your infrastructure, Shodan looks more shallow and broad (at the entire internet). You can easily use the JARM hash and MMH3 hash to hunt for similar infrastructure.

Lastly, you can now also tag hosts and subnets. In itself this doesn’t do much yet, but that will change in the coming weeks. There are interesting changes coming. Think of custom alerts based on specific events and tags, and reports based on specific tags. It will take a while to get this fully functional and you’ll see the new features appear in small steps.

UCEPROTECT blacklists removed due to bad behavior

31 January 2021
ShadowTrackr uses a lot of OSINT blacklists. This is not something you want to do in your internal SIEM without proper tuning. Any reasonably large organization will have users occasionally hitting blacklisted websites, resulting in quite a few false positives.

The purpose of the OSINT blacklists in ShadowTrackr is different: it’s to check if your public websites or mailservers appear on them. That is something you should always want to know.

Last two weeks, a lot of assets of several different clients turned up on UCEPROTECT blacklists. Often, if the ip or url is really showing bad behavior, you’ll see it listed on multiple blacklists from mutliple organizations. The funny thing about the ip’s showing up on UCEPROTECT was that almost all of them did not show up at other blacklists. That is odd.

When I looked in to the details, UCEPROTECT showed that entire ip ranges and ASNs we’re blocked. These ASNs are all owned by decent providers, and it seemed a bit like throwing out the baby with the bathwater.

I contacted one of the ISPs, and they told me that they were on it and trying to work with UCEPROTECT. Problem was that UCEPROTECT charges a hefty fee to get your ASN de-listed. That is, in the words of the ISP, predatory behavior that they will not put up with. And they are right. So, as of now ShadowTrackr has dropped checking assets againts UCEPROTECT blacklists.

We still use more than 100 other blacklists, and you’re assets will very likely show up on those if they misbehave. So, you should notice any real difference.
Older posts >

Overview
Use cases
Plans and pricing
FAQ
Resources
API
Blog
Documentation
Integrations
Shodan
OpenCTI
Company
About
Contact us
Legal & Policy