HoneyDB
             
Threat Information API

Access
Access current threat information via the HoneyDB Threat Information API.
Threat Information Endpoints

Helper endpoints
API Tools

Postman hosted API docs

Also see API Clients on the downloads page.
Terms and Conditions

HoneyDB is a community driven honeypot data aggregation platform. HoneyDB collects and publishes honeypot data via its platform API. Registered HoneyDB users can access the API free of charge for non-commercial uses.

Cases that involve commercialization require a commercial, non-free license. Cases of commercialization include but are not limited to:
  • Managed/Software-as-a-Service services.
  • Distributing HoneyDB data as a commercial product or as part of one.
  • Using or distributing HoneyDB data as a value added service/product.
For more information about commercial licensing, see our commercial plan offerings. click here.

HoneyDB makes no guarantees as to the availability of its services (web site and APIs). In addition, all information is provided "as is" and HoneyDB disclaims all warranties. All access to the server is logged.

Request Limits

In an effort to provide a stable service, an API request limit needs to be enforced to manage server load. For all non-enterprise and non-commercial users the request limit is 1500 requests per month. When you're account has exceeded the request limit the API will respond with a status code of 429 (Too Many Requests).

If you require more than 1500 requests per month, please see enterprise and commercial plans for more information.

API query responses include two headers to provide usage status:
  • honeydb-qpm-consumed - The number of queries you have submitted for the month.
  • honeydb-qpm-remaining - The number of queries you have remaining for the month.
API Authentication

The HoneyDB API now requires authentication. To call API endpoints you will need to generate API credentials (apid_id and apid_key). To genereate credentails you will need to login here. Once logged in you can generate credentials here.

To query the API for threat information you will need to use the Threat Information API key with your HoneyDB API ID. The credentials must be set as header values in all requests. The headers needed are X-HoneyDb-ApiId and X-HoneyDb-ApiKey.

An example using curl as the HTTP client is as follows: 
curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
        --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
        https://honeydb.io/api/bad-hosts
Bad Hosts

A bad host is a host on the Internet that has connected or attempted to connect to one of the honeypots that feed data to HoneyDB. In general, there is no legitimate reason for any host to connect to these honeypots. So those that do can be considered bad, and a potential threat. If you see connectivity from any of these hosts on your network it may be malicious and may require some investigation.

Only the last 24 hours of bad host data is made available.

URL:

https://honeydb.io/api/bad-hosts

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
        --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
        https://honeydb.io/api/bad-hosts

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]
Bad Hosts (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data generated by the sensors you operate.

Only the last 24 hours of bad host data is made available.

URL:

https://honeydb.io/api/bad-hosts/mydata

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/bad-hosts/mydata

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host":"121.183.78.86","count":"203","last_seen":"2015-09-07"},
{"remote_host":"117.12.127.121","count":"203","last_seen":"2015-09-07"},
...
{"remote_host":"60.3.51.115","count":"203","last_seen":"2015-09-07"}]
Bad Hosts By Service

Retreive bad hosts by service name.

Only the last 24 hours of bad host data is made available.

URL:

https://honeydb.io/api/bad-hosts/<service>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/bad-hosts/VNC

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}]
Bad Hosts By Service (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to download bad-host data, by service name, generated by the sensors you operate.

Only the last 24 hours of bad host data is made available.

URL:

https://honeydb.io/api/bad-hosts/<service>/mydata

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/bad-hosts/VNC/mydata

The response is provided in JSON format and consists of the following fields:
  • remote_host - The IP address of the bad host.
  • count - The number of connections made by the bad host.
  • last_seen - The date of the connection made by the bad host.

Example Response:
[{"remote_host": "185.153.198.197", "count": "393819", "last_seen": "2019-10-09"},
{ "remote_host": "185.153.197.251", "count": "365181", "last_seen": "2019-10-10"},
...
{"remote_host": "199.195.251.84", "count": "1", "last_seen": "2019-10-09"}]
IP History

IP (bad host) history is a summary of all interaction activity recorded by the HoneyDB network for a given IP address. HoneyDB has IP data going back to 2014.

URL:

https://honeydb.io/api/ip-history/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ip-history/218.92.0.208

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • service - The service the IP interacted with.
  • even_count - The number of events related to interaction activity.

Example Response:
[{"date": "2019-04-11", "service": "SSH", "event_count": "3377"},
{"date": "2019-04-15", "service": "SSH", "event_count": "71"},
{"date": "2019-04-16", "service": "SSH", "event_count": "1787"},
...
{"date": "2020-12-31", "service": "SSH", "event_count": "1745"}]
Sensor Data Count (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to retrieve a count of sensor event data collected for a given date.

Only the last 30 days of sensor data is made available.

URL:

https://honeydb.io/api/sensor-data/count/mydata

Parameters:
  • sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/sensor-data/count/mydata?sensor-data-date=<date>

The response is provided in JSON format and consists of the following field:
  • sensor_data_count - The number of events.

Example Response:
[{"sensor_data_count":"81120"}]
Sensor Data

This endpoint enables you to download all sensor event data collected for a given date. Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.

Only the last 30 days of sensor data is made available.

URL:

https://honeydb.io/api/sensor-data

Parameters:
  • sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
  • from-id (optional) - The id used as a starting point to retrieve the next 1000 results.

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/sensor-data/mydata?sensor-data-date=<date>&from-id=<from-id>

The response is provided in JSON format and consists of the following fields:
  • data - An array of events.
    • date - The event date.
    • time - The event time.
    • millisecond - The event millisecond.
    • session - The session id for events.
    • protocol - The protocol used to connect (TCP or UDP).
    • event - The type of event (CONNECT, RX, TX, INFO).
    • service - The service emulated on the sensor.
    • remote_host - The host that caused the event.
    • data - The payload the event.
    • bytes - The size of the event data in bytes.
    • data_hash - The MD5 hash of the event data.
  • from_id - The ID of the last event in the results. If you have more than 1000 results for the given date, use the from_id value to query for the next 1000. Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved all data for the given date.

Example Response:
[
    {
        "data": [

    {
                "date": "2017-12-29",
                "time": "03:12:28",
                "millisecond": "980",
                "session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
                "protocol": "TCP",
                "event": "RX",
                "service": "Telnet",
                "remote_host": "183.147.39.45",
                "data": "6364202f746d70207c7c206364202f76617...22f727",
                "bytes": "802",
                "data_hash": "211e17b9d6a2565522d107a1e4217a85"
            }
        ]
    },
    {
        "from_id": "68430237"
    }
]
Sensor Data (filtered)

If you operate sensors that log data to HoneyDB, this endpoint enables you to download all of your sensor event data collected for a given date. Each call the endpoint will return a maximum of 1000 records. To retrieve the next set of 1000 records, specify the from-id value from the previous result set.

Only the last 30 days of sensor data is made available.

URL:

https://honeydb.io/api/sensor-data/mydata

Parameters:
  • sensor-data-date (required) - The date on which to count events. Format: YYYY-MM-DD
  • from-id (optional) - The id used as a starting point to retrieve the next 1000 results.

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/sensor-data/mydata?sensor-data-date=<date>&from-id=<from-id>

The response is provided in JSON format and consists of the following fields:
  • data - An array of events.
    • date - The event date.
    • time - The event time.
    • millisecond - The event millisecond.
    • session - The session id for events.
    • protocol - The protocol used to connect (TCP or UDP).
    • event - The type of event (CONNECT, RX, TX, INFO).
    • service - The service emulated on the sensor.
    • remote_host - The host that caused the event.
    • data - The payload the event.
    • bytes - The size of the event data in bytes.
    • data_hash - The MD5 hash of the event data.
  • from_id - The ID of the last event in the results. If you have more than 1000 results for the given date, use the from_id value to query for the next 1000. Repeat this process until from_id is 0 (the data array will also be empty), this means you’ve retrieved all data for the given date.

Example Response:
[
    {
        "data": [

    {
                "date": "2017-12-29",
                "time": "03:12:28",
                "millisecond": "980",
                "session": "583d7e20-eb65-11e7-bde4-00163e008b1e",
                "protocol": "TCP",
                "event": "RX",
                "service": "Telnet",
                "remote_host": "183.147.39.45",
                "data": "6364202f746d70207c7c206364202f76617...22f727",
                "bytes": "802",
                "data_hash": "211e17b9d6a2565522d107a1e4217a85"
            }
        ]
    },
    {
        "from_id": "68430237"
    }
]
Services

Services are the network protocols emulated by honeypot sensors.

Only the last 24 hours of services data is made available.

URL:

https://honeydb.io/api/services

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/services

The response is provided in JSON format and consists of the following field:
  • service - The name of the service.
  • count - The number of events associated with the service name.

Example Response:
[
    {
        "service": "VNC",
        "count": "1702004"
    },
    {
        "service": "SSH",
        "count": "177504"
    },
    {
        "service": "SIP",
        "count": "147935"
    },
    {
        "service": "Telnet",
        "count": "57142"
    }
]
Stats

The stats collected from HoneyDB data. Starting from April 2018, this endpoint offers data used to publish the monthly HoneyDB report (example).

URL:

https://honeydb.io/api/stats

Parameters:
  • year (required) - The year published. Format: YYYY
  • month (required) - The month published. Format: MM

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/stats?year=2020&month=06

The response is provided in JSON format and consists of the following fields:
  • period - The month and year the stats were published.
  • total_events - Total number of events for the month.
  • total_remote_hosts - Total number of remote hosts for the month.
  • top_services - Array of the top 10 services for the month by number of events.

Example Response:
                    {
    "period": "June 2020",
    "total_events": "170881194",
    "total_remote_hosts": "110048",
    "top_services": {
        "VNC": "136103108",
        "SSH": "10157612",
        "TFTP": "9531258",
        "SIP": "6850356",
        "DNS.udp": "2858125",
        "Telnet": "2282469",
        "RDP": "1031500",
        "HTTP": "847191",
        "Echo": "396332",
        "SMTP": "370009"
    }
}
Stats ASN

The list of Autonomus System's (AS) and count of corresponding IP addresses that have interacted with HoneyDB honeypots. The count is based on the last 7 days of activity.

URL:

https://honeydb.io/api/stats/asn

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/stats/asn

The response is provided in JSON format and consists of the following fields:
  • asn - The autonomous system number (ASN).
  • entity - The entity name.
  • count - The number of AS IPs.

Example Response:
[
    {
        "asn": 14061,
        "entity": "DIGITALOCEAN-ASN",
        "count": 2828
    },
    {
        "asn": 4134,
        "entity": "CHINANET-BACKBONE No.31,Jin-rong Street",
        "count": 2001
    },
    {
        "asn": 4837,
        "entity": "CHINA169-BACKBONE CHINA UNICOM China169 Backbone",
        "count": 1267
    },
]
Nodes

Nodes are deployed honeydb-agent sensors. This endpoint returns all nodes that have been seen within the last 3 days.

URL:

https://honeydb.io/api/nodes

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/nodes

The response is provided in JSON format and consists of the following field:
  • node - An MD5 sum representing a node.
  • country - The country based on IP address.

Example Response:
[
    {
        "node": "3386e49be694e179a429344f745703d6",
        "country": "Canada"
    },
    {
        "node": "83eca3581f1e214473d88c8a11251a4f",
        "country": "Private IP"
    },
    {
        "node": "d62eb87ddec830c500142c621b119feb",
        "country": "United Kingdom"
    }
]
Nodes (filtered)

Nodes are deployed honeydb-agent sensors. This endpoint returns your nodes that have been seen within the last 3 days.

URL:

https://honeydb.io/api/nodes/mydata

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/nodes/mydata

The response is provided in JSON format and consists of the following field:
  • node - An MD5 sum representing a node.
  • country - The country based on IP address.

Example Response:
[
    {
        "node": "3386e49be694e179a429344f745703d6",
        "country": "Canada"
    },
    {
        "node": "83eca3581f1e214473d88c8a11251a4f",
        "country": "Private IP"
    },
    {
        "node": "d62eb87ddec830c500142c621b119feb",
        "country": "United Kingdom"
    }
]
Payload History

BETA - Payload history endpoints are in beta and may change without notice. In addition, data provided by these endpoints will evolve as data clean up, data normalization, and expansion of the data is ongoing.

Payload history endpoints provide insights into HoneyDB's historical honeypot interaction activity data as far back as 2014.

Summary of what the set of payload history endpoints provides:
  1. Get all payload data for a given year or year-month
  2. Get the list of all services from which payload history was extracted from
  3. Get all payload data for a given service
  4. Get all payload data for a given payload data hash
  5. Get the list of all IP addresses (remote hosts) associated with payload data grouped by year
  6. Get the list of all remote hosts associated with a payload data hash by year
  7. Get all payload data hashes for a give remote host
  8. Get the list of all attributes parsed out of payload history data
  9. Get all hashes and attribute values for a given attribute


Payload data by year
This endpoint returns all payload data for a given year.

URL:

https://honeydb.io/api/payload-history/<year>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/2014

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • service - The service interacted with.
  • attribute - If not null, the specific attribute of interaction the payload value is sourced from.
  • hash - The MD5 hash of payload value.
  • value - The payload value.

Example Response:
[
    ...
    {
        "date": "2014-05-30",
        "service": "HTTP.ALT",
        "attribute": "useragent",
        "hash": "f8adebbcedfa5797922250e204f277f2",
        "value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
    },
    {
        "date": "2014-11-16",
        "service": "HTTP.ALT",
        "attribute": "method",
        "hash": "7528035a93ee69cedb1dbddb2f0bfcc8",
        "value": "GET"
    },
    {
        "date": "2014-08-10",
        "service": "TELNET",
        "attribute": null,
        "hash": "072b1847d9f4194b1f049e1d2947c578",
        "value": "chmod\r"
    },
    {
        "date": "2014-01-05",
        "service": "HTTP.ALT",
        "attribute": "version",
        "hash": "68318e5604cfae075e15b8d83850d982",
        "value": "HTTP/1.1"
    },
    ...
]
Payload data by year and month
This endpoint returns all payload data for a given year and month.

URL:

https://honeydb.io/api/payload-history/<year>/<month>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/2014/05

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • service - The service interacted with.
  • attribute - If not null, the specific attribute of interaction the payload value is sourced from.
  • hash - The MD5 hash of payload value.
  • value - The payload value.

Example Response:
[
    ...
    {
        "date": "2014-05-30",
        "service": "HTTP.ALT",
        "attribute": "useragent",
        "hash": "f8adebbcedfa5797922250e204f277f2",
        "value": "curl/7.15.5 (x86_64-redhat-linux-gnu) libcurl/7.15.5 OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5"
    },
    ...
]
Services
This endpoint returns the list of services from which all payload data was extracted from.

URL:

https://honeydb.io/api/payload-history/services

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/services

The response is provided in JSON format and is a list of all service names.

Example Response:
[
    "CLICKHOUSEHTTP",
    "DNS",
    "DNS.UDP",
    "HTTP",
    "HTTP.ALT",
    "ECHO",
    "ECHO.UDP",
    "ELASTICSEARCH",
    "FTP",
    "KUBLETAPI",
    "SIP",
    "MEMCACHED",
    "MODBUS",
    "REDIS",
    "SMTP",
    "TELNET",
    "TFTP",
    "VNC",
    "WEBLOGIC"
]
Payload data by service
This endpoint returns all payload data for a given service.

URL:

https://honeydb.io/api/payload-history/<service>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/REDIS

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • service - The service interacted with.
  • attribute - If not null, the specific attribute of interaction the payload value is sourced from.
  • hash - The MD5 hash of payload value.
  • value - The payload value.

Example Response:
[
    ...
    {
        "date": "2019-08-21",
        "service": "REDIS",
        "attribute": null,
        "hash": "efd7c8e9aa906a97022dbed05369bf6a",
        "value": "info\n"
    },
    ...
]
Payload data by hash
This endpoint returns all payload data for a given hash.

URL:

https://honeydb.io/api/payload-history/<hash>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/084e0343a0486ff05530df6c705c8bb4

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • service - The service interacted with.
  • attribute - If not null, the specific attribute of interaction the payload value is sourced from.
  • hash - The MD5 hash of payload value.
  • value - The payload value.

Example Response:
[
    ...
    {
        "date": "2017-06-08",
        "service": "TELNET",
        "attribute": null,
        "hash": "084e0343a0486ff05530df6c705c8bb4",
        "value": "guest"
    },
    ...
]
Remote hosts by year
This endpoint returns all remote hosts from which payload data was extracted, grouped by year.

URL:

https://honeydb.io/api/payload-history/remote-hosts

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/remote-hosts

The response is provided in JSON format and consists of the following fields:
  • <year> - The year, starting from 2014.
  • <remote hosts> - Array of remote hosts.

Example Response:
{
    "2014": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...],
    "2015": ["1.177.63.23", "1.177.9.13", "1.179.153.202",...]
    ...
}
Remote hosts by hash and year
This endpoint returns all remote hosts for a given hash and year.

URL:

https://honeydb.io/api/payload-history/<hash>/remote-hosts/<year>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/084e0343a0486ff05530df6c705c8bb4/remote-hosts/2019

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • remote_host - The remote host.

Example Response:
[
    ...
    {
        "date": "2017-06-08",
        "remote_host": "1.6.176.157",
    },
    ...
]
Payload data hashes by remote host
This endpoint returns all payload data hashes for a given remote host.

URL:

https://honeydb.io/api/payload-history/remote-hosts/<remote host>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/remote-hosts/80.241.222.98

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • hash - The payload data hash.

Example Response:
[
    {
        "date": "2016-01-15",
        "hash": "59676a6e51135fc7a38c24682c617503"
    },
    {
        "date": "2016-01-15",
        "hash": "63a44ffb31b1f2f78dc4028c2ff36106"
    },
    {
        "date": "2016-01-15",
        "hash": "6666cd76f96956469e7be39d750cc7d9"
    },
    {
        "date": "2016-01-15",
        "hash": "7528035a93ee69cedb1dbddb2f0bfcc8"
    },
    {
        "date": "2016-01-15",
        "hash": "c4408d335012a56ff58937d78050efad"
    }
]
Attributes
This endpoint returns the list of specific attributes extracted from all payload data.

URL:

https://honeydb.io/api/payload-history/attributes

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/attributes

The response is provided in JSON format and is a list of all attribute names.

Example Response:
[
    "http-header",
    "http-path",
    "http-scheme",
    "http-host",
    "http-version",
    "http-user-agent",
    "http-method",
    "http-query",
    "domain",
    "remote-frame-buffer",
    "sip-header",
    "sip-method",
    "sip-header-user-agent",
    ...
]
Attribute Values
This endpoint returns all attribute values for a given attribute name.

URL:

https://honeydb.io/api/payload-history/attributes/<attribute name>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/payload-history/attributes/http-user-agent

The response is provided in JSON format and consists of the following fields:
  • date - The date (day) the interaction was recorded.
  • value - The attribute value.

Example Response:
    [
        ...
        {
            "hash": "a5ecd7e3ca14fcb38a69343d1d47985a",
            "value": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)"
        },
        {
            "hash": "1cba7d39a7293c7e1de4e3333c3242f4",
            "value": "Mozilla/3.0 (compatible; Indy Library)"
        },
        {
            "hash": "55f9ce2b352fbe0f623b0a9513252de5",
            "value": "Mozilla/4.0 (compatible; MSIE 4.01; Mac_PowerPC)"
        },
        {
            "hash": "080ce9f58739390cf4d36e1e3b8eab1d",
            "value": "Opera/6.x (Linux 2.4.8-26mdk i686; U) [en]"
        },
        ...
    ]
Internet Scanner

Indicates if the IP provided is part of a known Internet scanning service. These services are typically not malicious

Internet Scanner
Returns true or false to indicate if the IP provided is part of a known Internet scanning service.

URL:

https://honeydb.io/api/internet-scanner/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/internet-scanner/65.49.20.67

The response is provided in JSON format.

Example Response:
{
    "internet_scanner": true
}

Internet Scanner Info
Returns true or false to indicate if the IP provided is part of a known Internet scanning service as well as additional information about the scanning entity.

URL:

https://honeydb.io/api/internet-scanner/info/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/internet-scanner/info/65.49.20.67

The response is provided in JSON format.

Example Response:
{
    "domain": "shadowserver.org",
    "name": "The Shadow Server Foundation",
    "url": "https://www.shadowserver.org/",
    "published_ip_list": [],
    "internet_scanner": true
}
IP Info

Provides additional context on a given IP. This data is collected from publicly available sources.

IP Info
Returns true or false to indicate if the IP provided is part of a known IP list. The current set of IP lists include: Bogon IP, Tor exit nodes, SANS IP, CIArmy, Emerging Threats Compromised IP, and Project Honeypot.

URL:

https://honeydb.io/api/ipinfo/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/65.49.20.67

The response is provided in JSON format.

Example Response:
{
    "is_bogon": false,
    "is_tor": false,
    "is_threat": true,
    "threat_lists": {
        "is_sansip": false,
        "is_ciarmy": true,
        "is_et_compromised": false,
        "is_project_honeypot": false
    }
}

IP Info Bogon
Returns true or false to indicate if the IP provided is bogon IP address.

URL:

https://honeydb.io/api/ipinfo/bogon/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/bogon/192.168.1.1

The response is provided in JSON format.

Example Response:
{
    "is_bogon": true
}

IP Info Tor
Returns true or false to indicate if the IP provided is a Tor exit node.

URL:

https://honeydb.io/api/ipinfo/tor/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/tor/65.49.20.67

The response is provided in JSON format.

Example Response:
{
    "is_tor": false
}

IP Info SANS IP
Returns true or false to indicate if the IP provided is on the SANS IP list, all data from the SANS IP list, and data from the SANS Intel list.

URL:

https://honeydb.io/api/ipinfo/sansip/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/sansip/218.92.0.198

The response is provided in JSON format.

Example Response:
{
    "is_sansip": true,
    "attacks": 982,
    "count": 290664,
    "firstseen": "2020-12-31",
    "lastseen": "2021-02-01",
    "sansintel": {
        "is_sansintel": true,
        "intel": "blocklistde22"
    }
}

IP Info CI Army
Returns true or false to indicate if the IP provided is on the CINS Army List.

URL:

https://honeydb.io/api/ipinfo/ciarmy/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/ciarmy/1.189.88.70

The response is provided in JSON format.

Example Response:
{
    "is_ciarmy": true
}

IP Info Emerging Threats Compromised
Returns true or false to indicate if the IP provided is on the Emerging Threats Compromised IP list.

URL:

https://honeydb.io/api/ipinfo/et-compromised/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/et-compromised/1.189.88.70

The response is provided in JSON format.

Example Response:
{
    "is_et_compromised": false
}

IP Info Project Honeypot
Returns true or false to indicate if the IP provided is on the Project Honeypot list and additional threat data.

URL:

https://honeydb.io/api/ipinfo/project-honeypot/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/ipinfo/project-honeypot/134.119.219.71

The response is provided in JSON format.

Example Response:
{
    "is_project_honeypot": true,
    "answer": "127.1.67.5",
    "days": "1",
    "threat": "67 (Under 1,000,000)",
    "type": "Suspicious & Comment Spammer"
}
Net Info

Convenient helper endpoint for IP enrichment data. Use this endpoint to get addtional data related to an IP address. This functionality is provided using https://github.com/9b/netinfo.

Calls to NetInfo endpoints do not count against monthly limits.

Lookup
Returns AS, network information and geolocation for an IP address.

URL:

https://honeydb.io/api/lookup/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/netinfo/lookup/8.8.8.8

The response is provided in JSON format.

Example Response:
{
    "as_name": "GOOGLE - Google LLC, US",
    "as_num": 15169,
    "city": null,
    "country_iso": "US",
    "country_name": "United States",
    "ip": "8.8.8.8",
    "ip_hex": "0x8080808",
    "ip_version": 4,
    "latitude": 37.751,
    "longitude": -97.822,
    "network": "8.8.8.0/24",
    "network_broadcast": "8.8.8.255",
    "network_hostmask": "0.0.0.255",
    "network_netmask": "255.255.255.0",
    "network_size": 256,
    "postal_code": null,
    "region_iso": null,
    "region_name": null
}

Network Addresses
Returns all IP addresses as part of a network range.

URL:

https://honeydb.io/api/netinfo/network-addresses/<cidr>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/netinfo/network-addresses/8.8.8.8/24

The response is provided in JSON format.

Example Response:
{
    "cidr": "8.8.8.8/24",
    "network_addresses": [
        "8.8.8.0",
        "8.8.8.1",
        "8.8.8.2",
        ...
        "8.8.8.253",
        "8.8.8.254",
        "8.8.8.255"
    ],
    "network_size": 256
}

Prefixes
Returns all prefixes advertised for a specific AS network.

URL:

https://honeydb.io/api/netinfo/prefixes/<asn>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/netinfo/prefixes/15169

The response is provided in JSON format.

Example Response:
{
    "as_num": 15169,
    "count": 493,
    "prefixes": [
        "104.134.92.0/24",
        "34.104.0.0/14",
        "104.154.224.0/19",
        ...
        "64.233.162.0/24",
        "64.233.182.0/24",
        "209.85.233.0/24"
    ]
}

AS Name
Returns the name of the AS network.

URL:

https://honeydb.io/api/netinfo/as-name/<asn>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/netinfo/as-name/15169

The response is provided in JSON format.

Example Response:
{
    "as_name": "GOOGLE - Google LLC, US",
    "as_num": "15169"
}

Geo Location
Returns geolocation information for an IP address.

URL:

https://honeydb.io/api/netinfo/geolocation/<ip address>

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/netinfo/geolocation/8.8.8.8

The response is provided in JSON format.

Example Response:
{
    "city": null,
    "country_iso": "US",
    "country_name": "United States",
    "latitude": 37.751,
    "longitude": -97.822,
    "postal_code": null,
    "region_iso": null,
    "region_name": null
}
Datacenter

AWS
Returns AWS IP ranges.

URL:

https://honeydb.io/api/datacenter/aws

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/aws

Azure
Returns Azure IP ranges.

URL:

https://honeydb.io/api/datacenter/azure

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/azure

Azure China
Returns Azure China IP ranges.

URL:

https://honeydb.io/api/datacenter/azure/china

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/azure/china

Azure Germany
Returns Azure Germany IP ranges.

URL:

https://honeydb.io/api/datacenter/azure/germany

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/azure/germany

Azure Gov
Returns Azure Gov IP ranges.

URL:

https://honeydb.io/api/datacenter/azure/gov

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/azure/gov

Google Cloud
Returns Google Cloud IP ranges.

URL:

https://honeydb.io/api/datacenter/gcp

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/gcp

IBM Cloud
Returns IBM Cloud IP ranges.

URL:

https://honeydb.io/api/datacenter/ibm

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/ibm

Oracle Cloud
Returns Oracle Cloud IP ranges.

URL:

https://honeydb.io/api/datacenter/oracle

Example Request:

curl --header "X-HoneyDb-ApiId: <enter your api_id here>" \
    --header "X-HoneyDb-ApiKey: <enter your api_key here>" \
    https://honeydb.io/api/datacenter/oracle

© 2024 Deception Logic, Inc. - Terms of Service | Privacy |
home  Home
memory  Hosts
dns  Services
build  Deploy
code  Threat API
gps_fixed  Monitors
list  Plans
favorite_border  Sponsors
pie_chart  Stats
cloud_download  Downloads
account_circle  User
grain  Agents
error_outline  Status
contact_support  About