HoneyDB API
HoneyDB API
Access current threat information via the HoneyDB API. The API provides data on active bad hosts, honeypot interaction details, stats, historical data, and various helper endpoints for additional context.
Terms and Conditions
HoneyDB is a community-driven honeypot data aggregation platform. HoneyDB collects and publishes honeypot data via its platform API. Registered HoneyDB users can access the API free of charge for non-commercial uses.
Cases that involve commercialization require a commercial, non-free license. Examples include Managed/Software-as-a-Service services, distributing HoneyDB data as a commercial product, or using/distributing HoneyDB data as a value-added service/product.
For more information about commercial licensing, see our commercial plan offerings - Click here.
HoneyDB makes no guarantees as to the availability of its services (website and APIs). In addition, all information is provided "as is" and HoneyDB disclaims all warranties. All access to the server is logged.
Request Limits
In an effort to provide a stable service, an API request limit needs to be enforced to manage server load. For all non-enterprise and non-commercial users, the request limit is 1500 requests per month. When your account exceeds the request limit, the API will respond with a status code of 429 (Too Many Requests).
If you require more than 1500 requests per month, please see enterprise and commercial plans for more information.
- honeydb-qpm-consumed - The number of queries you have submitted for the month.
- honeydb-qpm-remaining - The number of queries you have remaining for the month.
The HoneyDB API now requires authentication. To call API endpoints, you will need to generate API credentials (api_id and api_key).
To generate credentials, you need to login here. Once logged in, you can generate credentials
here.
To query the API for threat information, you will need to use the Threat Information API key with your HoneyDB API ID. The credentials must
be set as header values in all requests. The headers needed are X-HoneyDb-ApiId and X-HoneyDb-ApiKey.
An example using curl as the HTTP client is as follows:
Visit it here: HoneyDB API Documentation.
Helper Endpoints
Bad Hosts
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
[
{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}
]
Bad Hosts (filtered)
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
[
{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}
]
Bad Hosts By Service
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
[
{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}
]
Bad Hosts By Service (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data, by service name, generated by the sensors you operate.
Only the last 24 hours of bad host data is made available.
https://honeydb.io/api/bad-hosts/<service>/mydata
The response is provided in JSON format and consists of the following fields:
- remote_host - The IP address of the bad host.
- count - The number of connections made by the bad host.
- last_seen - The date of the connection made by the bad host.
[
{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}
]
IP History
IP (bad host) history is a summary of all interaction activity recorded by the HoneyDB network for a given IP address. HoneyDB has IP data going back to 2014.
https://honeydb.io/api/ip-history/<ip address>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service the IP interacted with.
- event_count - The number of events related to interaction activity.
[
{"date": "2019-04-11", "service": "SSH", "event_count": "3377"},
{"date": "2019-04-15", "service": "SSH", "event_count": "71"},
{"date": "2019-04-16", "service": "SSH", "event_count": "1787"},
...
{"date": "2020-12-31", "service": "SSH", "event_count": "1745"}
]
Sensor Data Count (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to retrieve a count of sensor event data collected for a given date.
Only the last 30 days of sensor data is made available.
https://honeydb.io/api/sensor-data/count/mydata
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
The response is provided in JSON format and consists of the following field:
- sensor_data_count - The number of events.
[{"sensor_data_count":"81120"}]
Sensor Data
This endpoint enables you to download all sensor event data collected for a given date. Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.
Only the last 30 days of sensor data is made available.
https://honeydb.io/api/sensor-data
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
- from-id (optional) - The id used as a starting point to retrieve the next 1000 results.
The response is provided in JSON format and consists of the following fields:
-
data - An array of events.
- date - The event date.
- time - The event time.
- millisecond - The event millisecond.
- session - The session id for events.
- protocol - The protocol used to connect (TCP or UDP).
- event - The type of event (CONNECT, RX, TX, INFO).
- service - The service emulated on the sensor.
- remote_host - The host that caused the event.
- data - The payload of the event.
- bytes - The size of the event data in bytes.
- data_hash - The MD5 hash of the event data.
- from_id - The ID of the last event in the results. If you have more than 1000 results for the given date, use the from_id value to query for the next 1000. Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved all data for the given date.
[
{
"data": [
{
"date": "2017-12-29",
"time": "03:12:28",
"millisecond": "980",
"session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
"protocol": "TCP",
"event": "RX",
"service": "Telnet",
"remote_host": "183.147.39.45",
"data": "6364202f746d70207c7c206364202f76617...22f727",
"bytes": "802",
"data_hash": "211e17b9d6a2565522d107a1e4217a85"
}
]
},
{
"from_id": "68430237"
}
]
Sensor Data (filtered)
If you operate sensors that log data to HoneyDB, this endpoint enables you to download all of your sensor event data collected for a given date. Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.
Only the last 30 days of sensor data is made available.
https://honeydb.io/api/sensor-data/mydata
- sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
- from-id (optional) - The id used as a starting point to retrieve the next 1000 results.
The response is provided in JSON format and consists of the following fields:
-
data - An array of events.
- date - The event date.
- time - The event time.
- millisecond - The event millisecond.
- session - The session id for events.
- protocol - The protocol used to connect (TCP or UDP).
- event - The type of event (CONNECT, RX, TX, INFO).
- service - The service emulated on the sensor.
- remote_host - The host that caused the event.
- data - The payload of the event.
- bytes - The size of the event data in bytes.
- data_hash - The MD5 hash of the event data.
- from_id - The ID of the last event in the results. If you have more than 1000 results for the given date, use the from_id value to query for the next 1000. Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved all data for the given date.
[
{
"data": [
{
"date": "2017-12-29",
"time": "03:12:28",
"millisecond": "980",
"session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
"protocol": "TCP",
"event": "RX",
"service": "Telnet",
"remote_host": "183.147.39.45",
"data": "6364202f746d70207c7c206364202f76617...22f727",
"bytes": "802",
"data_hash": "211e17b9d6a2565522d107a1e4217a85"
}
]
},
{
"from_id": "68430237"
}
]
Services
Services are the network protocols emulated by honeypot sensors.
Only the last 24 hours of services data is made available.
https://honeydb.io/api/services
The response is provided in JSON format and consists of the following fields:
- service - The name of the service.
- count - The number of events associated with the service name.
[
{
"service": "VNC",
"count": "1702004"
},
{
"service": "SSH",
"count": "177504"
},
{
"service": "SIP",
"count": "147935"
},
{
"service": "Telnet",
"count": "57142"
}
]
Stats
The stats collected from HoneyDB data. Starting from April 2018, this endpoint offers data used to publish the monthly HoneyDB report (example).
https://honeydb.io/api/stats
- year (required) - The year published. Format: YYYY
- month (required) - The month published. Format: MM
The response is provided in JSON format and consists of the following fields:
- period - The month and year the stats were published.
- total_events - Total number of events for the month.
- total_remote_hosts - Total number of remote hosts for the month.
- top_services - Array of the top 10 services for the month by number of events.
{
"period": "June 2020",
"total_events": "170881194",
"total_remote_hosts": "110048",
"top_services": {
"VNC": "136103108",
"SSH": "10157612",
"TFTP": "9531258",
"SIP": "6850356",
"DNS.udp": "2858125",
"Telnet": "2282469",
"RDP": "1031500",
"HTTP": "847191",
"Echo": "396332",
"SMTP": "370009"
}
}
Stats ASN
The list of Autonomous System's (AS) and count of corresponding IP addresses that have interacted with HoneyDB honeypots. The count is based on the last 7 days of activity.
https://honeydb.io/api/stats/asn
The response is provided in JSON format and consists of the following fields:
- asn - The autonomous system number (ASN).
- entity - The entity name.
- count - The number of AS IPs.
[
{
"asn": 14061,
"entity": "DIGITALOCEAN-ASN",
"count": 2828
},
{
"asn": 4134,
"entity": "CHINANET-BACKBONE No.31,Jin-rong Street",
"count": 2001
},
{
"asn": 4837,
"entity": "CHINA169-BACKBONE CHINA UNICOM China169 Backbone",
"count": 1267
}
]
Nodes
Nodes are deployed honeydb-agent sensors. This endpoint returns all nodes that have been seen within the last 3 days.
https://honeydb.io/api/nodes
The response is provided in JSON format and consists of the following fields:
- node - An MD5 sum representing a node.
- country - The country based on IP address.
[
{
"node": "3386e49be694e179a429344f745703d6",
"country": "Canada"
},
{
"node": "83eca3581f1e214473d88c8a11251a4f",
"country": "Private IP"
},
{
"node": "d62eb87ddec830c500142c621b119feb",
"country": "United Kingdom"
}
]
Nodes (filtered)
Nodes are deployed honeydb-agent sensors. This endpoint returns your nodes that have been seen within the last 3 days.
https://honeydb.io/api/nodes/mydata
The response is provided in JSON format and consists of the following fields:
- node - An MD5 sum representing a node.
- country - The country based on IP address.
[
{
"node": "3386e49be694e179a429344f745703d6",
"country": "Canada"
},
{
"node": "83eca3581f1e214473d88c8a11251a4f",
"country": "Private IP"
},
{
"node": "d62eb87ddec830c500142c621b119feb",
"country": "United Kingdom"
}
]
Payload History
BETA Notice:
The payload history endpoints are currently in beta and may change without prior notice. Additionally, the data provided by these endpoints will continue to evolve as part of ongoing efforts in data cleanup, normalization, and expansion.
The payload history endpoints provide insights into HoneyDB's historical honeypot interaction activity, with data dating back to 2014. These endpoints enable users to explore and analyze specific attributes parsed from historical honeypot data. Key capabilities include:
- Discovering payload attributes and their observed values in historical honeypot data.
- Identifying the services associated with specific payload attributes.
- Tracking timelines that detail when particular payload attributes were observed in the HoneyDB honeypot network.
The payload history endpoints allow you to perform the following actions:
- Retrieve all payload attribute histories for a specified year or year-month.
- Get a list of all services from which payload history was extracted.
- Access payload attribute history for a specific service.
- Get the history of a specific payload attribute by its hash.
- List all IP addresses (remote hosts) associated with payload data, grouped by year.
- List all IP addresses (remote hosts) linked to a specific payload attribute hash by year.
- Retrieve all attribute hashes associated with a given IP address (remote host).
- Access a list of all attributes parsed from payload history data.
- Retrieve all hashes and attribute values for a specific attribute.
This endpoint returns all payload data for a given year.
https://honeydb.io/api/payload-history/<year>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
[
{
"date": "2014-05-30",
"service": "HTTP.ALT",
"attribute": "useragent",
"hash": "f8adebbcedfa5797922250e204f277f2",
"value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
},
]
This endpoint returns all payload data for a given year and month.
https://honeydb.io/api/payload-history/<year>/<month>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
[
{
"date": "2014-05-30",
"service": "HTTP.ALT",
"attribute": "useragent",
"hash": "f8adebbcedfa5797922250e204f277f2",
"value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
},
]
This endpoint returns the list of services from which all payload data was extracted from.
https://honeydb.io/api/payload-history/services
The response is provided in JSON format and is a list of all service names.
[
"CLICKHOUSEHTTP",
"DNS",
"DNS.UDP",
"HTTP",
"HTTP.ALT",
"ECHO",
"ECHO.UDP",
"ELASTICSEARCH",
"FTP",
"KUBLETAPI",
"SIP",
"MEMCACHED",
"MODBUS",
"REDIS",
"SMTP",
"TELNET",
"TFTP",
"VNC",
"WEBLOGIC"
]
This endpoint returns all payload data for a given service.
https://honeydb.io/api/payload-history/<service>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
[
{
"date": "2019-08-21",
"service": "REDIS",
"attribute": null,
"hash": "efd7c8e9aa906a97022dbed05369bf6a",
"value": "info\n"
},
]
This endpoint returns all payload data for a given hash.
https://honeydb.io/api/payload-history/<hash>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- service - The service interacted with.
- attribute - If not null, the specific attribute of interaction the payload value is sourced from.
- hash - The MD5 hash of payload value.
- value - The payload value.
[
{
"date": "2017-06-08",
"service": "TELNET",
"attribute": null,
"hash": "084e0343a0486ff05530df6c705c8bb4",
"value": "guest"
},
]
This endpoint returns all remote hosts from which payload data was extracted, grouped by year.
https://honeydb.io/api/payload-history/remote-hosts
The response is provided in JSON format and consists of the following fields:
- <year> - The year, starting from 2014.
- <remote hosts> - Array of remote hosts.
{
"2014": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...],
"2015": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...]
...
}
This endpoint returns all remote hosts for a given hash and year.
https://honeydb.io/api/payload-history/<hash>/remote-hosts/<year>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- remote_host - The remote host.
[
{
"date": "2017-06-08",
"remote_host": "1.6.176.157",
},
]
This endpoint returns all payload data hashes for a given remote host.
https://honeydb.io/api/payload-history/remote-hosts/<remote host>
The response is provided in JSON format and consists of the following fields:
- date - The date (day) the interaction was recorded.
- hash - The payload data hash.
[
{
"date": "2016-01-15",
"hash": "59676a6e51135fc7a38c24682c617503"
},
{
"date": "2016-01-15",
"hash": "63a44ffb31b1f2f78dc4028c2ff36106"
},
{
"date": "2016-01-15",
"hash": "6666cd76f96956469e7be39d750cc7d9"
},
{
"date": "2016-01-15",
"hash": "7528035a93ee69cedb1dbddb2f0bfcc8"
},
{
"date": "2016-01-15",
"hash": "c4408d335012a56ff58937d78050efad"
}
]
This endpoint returns the list of specific attributes extracted from all payload data.
https://honeydb.io/api/payload-history/attributes
The response is provided in JSON format and is a list of all attribute names.
[
"http-header",
"http-path",
"http-scheme",
"http-host",
"http-version",
"http-user-agent",
"http-method",
"http-query",
"domain",
"remote-frame-buffer",
"sip-header",
"sip-method",
"sip-header-user-agent",
...
]
This endpoint returns all attribute values for a given attribute name.
https://honeydb.io/api/payload-history/attributes/<attribute name>
The response is provided in JSON format and consists of the following fields:
- hash - The payload data hash.
- value - The attribute value.
[
{
"hash": "a5ecd7e3ca14fcb38a69343d1d47985a",
"value": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
},
{
"hash": "1cba7d39a7293c7e1de4e3333c3242f4",
"value": "Mozilla/3.0 (compatible; Indy Library)"
},
{
"hash": "55f9ce2b352fbe0f623b0a9513252de5",
"value": "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
},
{
"hash": "080ce9f58739390cf4d36e1e3b8eab1d",
"value": "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]"
},
...
]
Internet Scanner
Indicates if the IP provided is part of a known Internet scanning service. These services are typically not malicious.
Internet Scanner
Returns true or false to indicate if the IP provided is part of a known Internet scanning service.
https://honeydb.io/api/internet-scanner/<ip address>
The response is provided in JSON format.
{
"internet_scanner": true
}
Internet Scanner Info
Returns true or false to indicate if the IP provided is part of a known Internet scanning service as well as additional information about the scanning entity.
https://honeydb.io/api/internet-scanner/info/<ip address>
The response is provided in JSON format.
{
"domain": "shadowserver.org",
"name": "The Shadow Server Foundation",
"url": "https://www.shadowserver.org/",
"published_ip_list": [],
"internet_scanner": true
}
IP Info
Provides additional context on a given IP. This data is collected from publicly available sources.
IP Info
Returns true or false to indicate if the IP provided is part of a known IP list. The current set of IP lists include: Bogon IP, Tor exit nodes, SANS IP, CIArmy, Emerging Threats Compromised IP, and Project Honeypot.
https://honeydb.io/api/ipinfo/<ip address>
The response is provided in JSON format.
{
"is_bogon": false,
"is_tor": false,
"is_threat": true,
"threat_lists": {
"is_sansip": false,
"is_ciarmy": true,
"is_et_compromised": false,
"is_project_honeypot": false
}
}
IP Info Bogon
Returns true or false to indicate if the IP provided is bogon IP address.
https://honeydb.io/api/ipinfo/bogon/<ip address>
The response is provided in JSON format.
IP Info Tor
Returns true or false to indicate if the IP provided is a Tor exit node.
https://honeydb.io/api/ipinfo/tor/<ip address>
The response is provided in JSON format.
{
"is_tor": false
}
Net Info
Convenient helper endpoint for IP enrichment data. Use this endpoint to get addtional data related to an IP address.
Calls to NetInfo endpoints do not count against monthly limits.
Lookup
https://honeydb.io/api/lookup/<ip address>
The response is provided in JSON format.
{
"as_name": "GOOGLE - Google LLC, US",
"as_num": 15169,
"city": null,
"country_iso": "US",
"country_name": "United States",
"ip": "8.8.8.8",
"ip_hex": "0x8080808",
"ip_version": 4,
"latitude": 37.751,
"longitude": -97.822,
"network": "8.8.8.0/24",
"network_broadcast": "8.8.8.255",
"network_hostmask": "0.0.0.255",
"network_netmask": "255.255.255.0",
"network_size": 256,
"postal_code": null,
"region_iso": null,
"region_name": null
}
Network Addresses
Returns all IP addresses as part of a network range.
https://honeydb.io/api/netinfo/network-addresses/<cidr>
The response is provided in JSON format.
{
"cidr": "8.8.8.8/24",
"network_addresses": [
"8.8.8.0",
"8.8.8.1",
"8.8.8.2",
...
"8.8.8.253",
"8.8.8.254",
"8.8.8.255"
],
"network_size": 256
}
Prefixes
Returns all prefixes advertised for a specific AS network.
https://honeydb.io/api/netinfo/prefixes/<asn>
The response is provided in JSON format.
{
"as_num": 15169,
"count": 493,
"prefixes": [
"104.134.92.0/24",
"34.104.0.0/14",
"104.154.224.0/19",
...
"64.233.162.0/24",
"64.233.182.0/24",
"209.85.233.0/24"
]
}
AS Name
Returns the name of the AS network.
https://honeydb.io/api/netinfo/as-name/<asn>
{
"as_name": "GOOGLE - Google LLC, US",
"as_num": "15169"
}
Geo Location
Returns geolocation information for an IP address.
https://honeydb.io/api/netinfo/geolocation/<ip address>
{
"city": null,
"country_iso": "US",
"country_name": "United States",
"latitude": 37.751,
"longitude": -97.822,
"postal_code": null,
"region_iso": null,
"region_name": null
}
Datacenter
AWS
Returns AWS IP ranges.
https://honeydb.io/api/datacenter/aws
Azure
Returns Azure IP ranges.
https://honeydb.io/api/datacenter/azure
Azure China
Returns Azure China IP ranges.
https://honeydb.io/api/datacenter/azure/china
Azure Germany
Returns Azure Germany IP ranges.
https://honeydb.io/api/datacenter/azure/germany
Azure Gov
Returns Azure Gov IP ranges.
https://honeydb.io/api/datacenter/azure/gov
Google Cloud
Returns Google Cloud IP ranges.
https://honeydb.io/api/datacenter/gcp
IBM Cloud
Returns IBM Cloud IP ranges.
https://honeydb.io/api/datacenter/ibm
Oracle Cloud
Returns Oracle Cloud IP ranges.
https://honeydb.io/api/datacenter/oracle
API Clients
Postman hosted API docs
Logstash - 
Splunk - 
ThreatQuotient - Below are some API clients that have been developed by the community to interact with HoneyDB APIs.:
- Mimir - OSINT Threat Intel Interface
- Data Pull Script - Simple bash script to run the more popular curl commands for HoneyDB