Alerts are back and other site changes

As of today, Canario is now allowing up to five free alerts for all registered users. We are permitting the use of strings with lengths between 4 and 255 characters which will then be matched against objects (both inferred and explicit), sample titles, and sample bodies.

To create an alert, you can go into your account page and add them. An example of what you should expect is here:

Screen Shot 2016-03-20 at 12.05.13

It should be noted that alerts are case sensitive for when expecting keywords within sample bodies or sample titles, but this does not apply to objects.

When you create an alert, you should see examples like the following show up in your account page under “alerts”:

Screen Shot 2016-03-20 at 12.00.23

You can acknowledge an alert as well:

Screen Shot 2016-03-20 at 12.00.49

After 21 days, the alert will cease to show up on the page regardless of whether or not you acknowledge it–they do not get deleted however..

Alerts are created as soon as the Canario analysis engine has completed processing data in a batch job and e-mails are sent almost immediately on each hit.

We’re still working to introduce regular expression-based alerting.

Please let us know if you run into problems with the alerts.

One change we’ve also made is that we’re permitting more characters in usernames. In addition to your standard A-Z, we’re also allowing numbers, and certain special characters (‘@’, ‘-“, ‘_’, and ‘.’ in particular).

New fixes and site update

Last month, Canario underwent a massive upgrade. During this time we noticed some problems that had arisen and as such we had to make some temporary changes in order to address them.

First off, all data from the old Canary website has been fully migrated to the new Canario software. Any data that was in the site before has been fully converted.

Secondly, we had to disable related searches due to performance problems. We are working to address them but you are able to enable them once again if you go into your user options and enable them there. Be forewarned that by enabling them you may see really long delays in retrieving data. You can disable and enable this setting at any time.

Lastly, we’re working to bring back alerts. During data conversion, we ran across a significant problem with the alerting engine and we’re working to fix this. An update will be provided as soon as possible.

A new name and a massive update

If it isn’t clear already, we have decided to rename Canary to Canario! This change comes after a decision to give the service a name that is unique amongst other products with similar names. If you’re a Spanish or Portuguese speaker, the name isn’t quite that different however.

All traffic going from the domain will automatically be redirected indefinitely.

There’s been some cosmetic changes, but what we’re most excited about is an entire overhaul to the software backend! Here’s what we’ve been busy doing the past few months:


One big thing we’ve done away with (temporarily) is keyword-based searching. This was done because we have never been satisfied with the results given by previous iterations of the search engine.

After the Ashley Madison breach, Canario saw thousands of searches per hour and most of them were by those who were not using the bangs (“!email” for example) with mixed results. So because of this we have opted to make it so if you perform a search without a bang it will search within our collection of objects (such as an e-mail, IP address, et cetera), allowing for more accurate results.

This does not mean that we’ve done away with the bang feature as we’ve improved one and added a new one as well.

For those who are interested in IP addresses, we’ve added the ability to perform CIDR notation when searching.

Screen Shot 2016-01-26 at 07.34.45

This means that the following search examples are valid when using the IP (!ip) bang:

  • !ip
  • !ip 10.0.0.
  • !ip

With the second example, it is converted to “” (and if it were to be “10.0” it would become “”). You can only do this from a /32 down to a /16.

One new feature we’ve added is the ability to search by TLD and sub-TLD via the new “!tld” bang.

Screenshot from 2016-01-26 09:26:34

We’ve included all two-letter country TLDs, all original non-country TLDs, and all of the new ones approved by ICANN through to the end of 2015–we will update as we go along of course. Non-Latin TLDs are also supported starting with “XN-“, meaning we cover over 1,000 different TLDs.

On top of that, we also are including sub-TLDs. This means that hosts ending with “” (Government of Canada), “” (State of California), and even services like DynDNS (“”) and Amazon AWS (“”) are included in the search area. There’s almost 10,000 sub-TLDs covered here.

Going back to keyword searching, we do plan to return this feature as a paid option later this year. We will provide more details on this as we go forward but a (sort of) workaround has been made available.

More in-depth analysis

One of the biggest challenges we’ve had with the old software was that it was designed with a different purpose in mind and that over time features were added in that required more work for the database back-end than what was best.

Here’s an example e-mail address:

Under the old software this is what we’d extract:

  • The e-mail address:
  • The hostname:

With the new software, we still extract the the above but we also retrieve the following:

  • All subdomains:
  • The TLD: uk
  • The sub-TLD:
  • The IP address that the original hostname resolves to:

What this allows for you to do is find any item regardless of how you search for it. This permits an organization to find things that may exist within their IP space that do not show up explicitly in our samples.

Under consideration is the extraction of MX records but as it stands right now we’re sticking with just A records.

Here’s one other example using an HTTP link:

Under the old software here’s what we’d get:

Under the new software, we get the above plus much more:

  • All redirects leading up to the end URL:
  • The hostnames from all redirects and URLs:,
  • All TLDs from the hostnames: ly, org
  • All IP addresses from the hostnames:,

We want to make it easier for you to find your data and we hope that making the analysis more in-depth will be helpful.

Better alerts (soon)

Right now we’re re-analyzing all of our samples and as a result we’ve opted to disable outright the alert system until this has been completed. However, you can in the meantime create alerts that will be enabled the moment we have the system ready.

If you have already registered before the transition to the software and enabled alerts based on your e-mail address, this will already be ready to go once the data processing is complete. For any new users going forward, you will need to input this manually but as a new feature, you can now set any object you want as an alert result within Canario.

Screenshot from 2016-01-26 10:10:40

The Canario alert engine will look for these strings within any new sample upon the analysis being completed. For now, we’re only allowing up to five strings but in the future we will be permitting more than five plus the ability to use regular expressions on data that is coming in. As mentioned earlier, more details on this will be forth coming.

We will make an announcement once we’ve completed the data migration.


In addition to everything above, we encourage anyone who is interested to check out our IRC channel on Freenode at #canario.

We’ll provide an update on the data migration progress very soon. There will be some interruptions to service over the coming week or two but the worst of what was needed to be done on our end is over.

Expect service interuptions this weekend

This weekend we’re migrating to a new server and new software. We’ve been spending the past couple of weeks testing the new setup and so far the results have been impressive. As a result of the changes needing to be done, we’re going to start migrating to the new software starting tonight and through to Monday.

Here’s what you should expect over this weekend:

  • Data migration will begin and as a result you may see older results appearing when searching. This will alleviate itself as fast as possible.
  • Interruption with authentication, leading to disruption with use of the API and logging in. This will be the first thing that we’ll resolve.
  • Redirection to a new server. If you have read our earlier post, you’ll have seen that we require those who use the API to prepare for a forced URL redirect.
  • Alerts will cease to work until once we’ve completed the migration. We will announce their return once we’re ready.

All changes will be announced in a follow-up article but we’re really excited here!

Python and Canary’s API

We migrated Canary to a new server and have also placed it behind Cloudflare. Having done so, we have come across a problem where users who use the API may run into problems if they’re using it under Python.

Those of you who use Python 3 should be spared, but the official Canary API Python library was developed with Python 2.7 in mind. If you are running into problems where you’re getting error 500, you’ll want to ensure that all of your Python libraries are up to date and consider reading this StackOverflow question–you’ll want to make sure that none of this will break your existing configuration, et cetera.

Canary’s Recent Issues

As you might have noticed, Canary has had some hiccups in the past few weeks. This has been the result of some hardware problems that lead to the site being knocked offline.

To summarize, we moved Canary from one server to another (it’s running atop of KVM). The new server had a hardware RAID controller as opposed to a software one. For a few weeks, we had no issues until it suddenly gave out, leading to the server believing that the disks had outright disappeared. When this happened, the server was brought back online and a fix was being worked on to prevent this from occurring again–this was the result of a firmware issue within the RAID controller.

Unfortunately, it happened again.

What we’ve done instead is moved Canary back to its original hardware configuration and then had to restore the database as it had become corrupted in the process. It appears that everything is back to normal as of October 21st.

We’re monitoring for now and will update you on any changes. There may be an interruption this upcoming weekend but we will post on the front page if this should happen.